Arizona State Senate Hearing on the 2020 Election Audit in Maricopa County July 15

Ken Bennett: (00:00)
A county, as large as Maricopa, where you have multiple, thousands of boxes, they have to make sure that those boxes are filled to the brim, so that if that box ends up on the bottom row of a pallet and there’s four stacked on top of each other, that they can hold the weight. So they kind of build bricks as one of my assistants, kind of calls it, where you make sure that the boxes are full.

And in a couple of the boxes, we found a variety of counter slips, I think, was the first box that we ran into, and the auditors took great care in making sure that no personally identifiable information is compromised. So we took, them personally identifiable information out of two boxes and segregated those in their own two boxes. We found personal identifiable information in the spoiled ballot boxes, and that ended up creating 16 new boxes of PII, as we called it.

In two of the braille ballot boxes, we found UOCAVA ballots, and even some other ballots. I think Doug might talk to that in a little more detail as to the number of those. So we separated those and that created two more boxes, and then eventually, Cypher after going through the equipment, returned the two data boxes that they had.

So we went from 1,691 boxes at the beginning to now we have 1,711 boxes on 47 pallets. As far as the equipment, we received the nine high-volume scanner machines, four called Hi Pros and five Canons, 20 adjudication stations, four EMS workstations, and the EMS server, along with some other miscellaneous equipment. That was on 16 pallets. Again, we received that on April 21st.

Every pallet and every box on the pallet was co-signed by Mr. Jared and myself, as were the 1,691 boxes that I mentioned earlier. We also received 385 precinct tabulators. Those were on 24 pallets. Well, not pallets. I guess you would call them racks, four rolling carts. And so, we identified each and every one of those by serial number. The nine high-volume machines, the 20 adjudication stations, the four EMS workstations, and the EMS server, Mr. Cotton’s company collected the forensic data off those, and he’ll speak to how they did that to make sure that none of-

Warren Petersen: (02:51)
Mr. [crosstalk 00:02:51], if I could just interject. Could you tell everybody what EMS-

I’m sorry.

… stands for?

EMS is the election management system.

Thank you.

Ben will speak to how they collected that data using equipment that could read only and do no damage to the original evidence that the copies were made from. But the high-volume machines, the adjudication stations, the election management system, workstations, and servers were returned to the county on April 30th. So we had the equipment about nine days, or at least those pieces of equipment. We would have returned the other 385 precinct tabulators, but I think Ben will speak to that as well, we still do have the precinct tabulators. Both the equipment and the ballots were in locked cages during the entire time that we have possessed the ballots and equipment, with limited access. I think most of the time there were probably maybe two people that had keys to the ballot corrals, we call them.

Speaker 1: (04:00)
Armed security outside.

We also had 24-hour, guarded, armed security, both inside and outside of the building. We had 24/7 livestream on the ballots and the equipment during the entire time that they’ve been in our possession. Doug spoke earlier that that’s a very significant part of the two petabytes, or whatever he said was, of data that we have collected.

While we have had the machines and the ballots in our custody, we have continuous and complete chain of custody on every box and every machine, even and especially during the time when we had to move over to the Wesley Bolin building and store the ballots and machines while the Coliseum was used for the high school graduations, the return back to the Coliseum, and now we’re back at the Wesley Bolin.

But during all that process, we have had continuous and complete chain of custody while everything has been in our possession. It was shown on the video that every time a box moved somewhere on the floor, it was signed out by somebody in the corral to somebody who took it to a table. It was received at that table by signature. So every time a box moved, two people signed for it, and then the reverse when it was returned.

Just for your information, when we returned these boxes, most of what we received were boxes sealed with regular packing tape. I think there were 52 boxes that were used in the hand count audit by Maricopa County that were sealed with tamper-evident tape, but the other 1,600 and some odd boxes were just sealed with regular packing tape.

It’s our intent and commitment that when we return everything to Maricopa County, that we will reseal the boxes, and as the video stated, we’ve gone to great lengths to make sure that the same ballots that were in the boxes when we received them are in the same boxes when we return them, and I think in the same order that we found them. When we close these boxes in the next few weeks and return them to Maricopa County, we will do so with tamper-evident tape to seal the boxes, and then a number seal across the top opening that will be recorded with each box, so that there’s a tamper-evident tape and a numbered seal that will be on every box that we return.

And I think that speaks primarily to the chain of custody. At some point, when we talk about things that maybe we ought to be considering as far as statutory changes or improvements, I can talk about some of the things that the election procedures manual of the state of Arizona and our state statutes require as far as the storage and security of ballots.

Karen Fann: (07:08)
Can we go ahead and do that now, since we’re on-

Want to do some of that? Okay.

Karen Fann: (07:12)
… the subject of chain of custody and storage?

Well, one of the things that we subpoenaed that has not been provided is the chain of custody that should have been created when ballots were received by Maricopa County, and while they were going through the process of the election. If you go to chapter eight, I think it’s five, Roman numeral five, subsection E, storage and security of ballots. It reads that official ballots must be inventoried upon receipt and prior to distribution to voting locations.

Item two is they must be accessed by election staff only to the extent necessary to perform their authorized task. A key one though, is third. They must be stored in a locked, secured location that prevents unauthorized access, as we have done. And in that number three, it says it must be documented with a written log or with electronic keypad access that indicates the date, time, and identity of the person accessing the ballots.

Fourth, must be witnessed by two or more election staff members of different political parties, if possible, when being moved or transferred, which includes an inventory of the ballots before and after the move or transfer. And then, the last item is very important as well, since we use ballot-on-demand printers in many of the counties around Arizona, that the officer in charge of elections shall also implement reasonable security procedures for auditing and accountability of blank ballot stock for use with on-demand printers.

So part of what we have been trying to get in addition to the ballots themselves is a chain of custody from the very beginning of the process when the county took ballot stock and/or pre-printed ballots from their vendors, and a chain of custody ever since then, which is still forthcoming.

Karen Fann: (09:10)
That was on the original subpoena, and we have not received it.

Madam President, just if I may, Mr. Bennett, what’s been the response when you’ve asked for that? What did the county tell you?

They’ve provided us what they’re going to provide us with.

Karen Fann: (09:29)
Are you saying they’re refusing to give us that information at this point?

Every time I’ve tried to interact with the folks at the Elections Department, I’ve been told that I need to deal with the county attorney’s office, and most of that time I’ve received kind of the answer that, “We gave you everything we’re going to give you.” I’m trying not to be flippant.

Karen Fann: (09:57)
We appreciate that. As secretary of state, I know you’re familiar with the handling of ballots. I know that a couple months ago, Senator Peterson and I had our first update briefing, and there were some things mentioned about bags that are sealed at some point, and apparently unsealed at some point. There were boxes that you opened and there were broken seals at the bottom. Could you explain, to the best of your ability, how are bouts supposed to be handled and treated from when they’re at the voting centers or at the polling stations? And when you receive those ballots and you open those boxes, what did you find? Could you walk us through what we should be looking for?

Well, in many of the boxes, we found pretty much very little existence of any ballot batch sheets that would describe how many ballots should be found in their batches. Maricopa County processed the election in 10,341 batches. Most of their batches were right around 200, but they had 20-some batches that were one ballot per batch, and they had other batches of ballots, mostly from the voting centers, that were around a thousand in a batch.

Some of the boxes, you would see a batch number on the outside of the box, identifying it as election day. So it came from a polling location. And if there was just one number, then you would infer from that, that there’s only one batch in there and it was a large batch from a voting location. As ballots are processed at the voting locations, I think Maricopa had 171, I believe, voting centers, when those are processed they’re bagged and locked in sealed bags and sent down to the central counting location.

They are opened again there, and when they are put in the boxes, we found some of the cut seals and things like that. So the fact that we found some cut seals was probably, it was easier to throw them in the bottom of the box, then throw them in the trash can somewhere. And it doesn’t speak to anything violative of state law or election procedures manual, but that apparently is the way that some of the people disposed of the seals that came from the bags at the voting centers.

The ballots that are handled at the central count, which is the vast majority of the ballots in Maricopa County’s situation, of the 2.1 million, or actually 2,089,563 ballots that were processed, approximately 1.9 million were processed through the mail, and therefore at central count locations, and about 168,000 ballots were processed at the 171 polling locations. When those ballots are put in those boxes, in some cases we found pink sheets, we, and they, Maricopa County, culled them that would say below this pink sheet, there should be 200 ballots, but two were taken to duplication and so there should be 198.

As it was reported earlier, and I think Doug may speak to it again, there were quite a few discrepancies found, but it was later discovered that the county has blue sheets that are used at a different point in the process to identify a time in their process where ballots are again sent to duplication, and so the blue sheets explain that the pink sheets would go from 200 to minus two to 198. A blue sheet might get you from 198 to, we sent in another six or seven to duplication, so the number would change again.

Madam President, interrupt. Mr. Bennett, to that point, were you given the blue sheets? Have we been given the blue sheets?

We were not given the blue sheets by Maricopa County, but we were able to get the blue sheets through one of the assistant liaison’s organizations, Audit USA out of Tucson, who requested by public records request the blue sheets, and then provided those to the audit, and I think they’ve been helpful. Doug may speak to that a little further as to explaining some of the discrepancies that are not entirely explained by the pink sheets that we sometimes found in the box.

Sometimes we would open a box and all the pink sheets would be stuffed down the side vertically, and you really, at that point, had no idea of where you would insert those pink sheets in between batches of ballots to account for the sum of the ballots in the box. I think a lot of this may stem from standard procedure where we’ve not done many audits and most counties have put things in boxes, knowing that they’re going to be sealed up, put on pallets, shrink wrapped, and put in a warehouse for 22 months, and then destroyed. And usually nothing or nobody’s ever being looked at or looking at them.

In this case, I think we have discovered that we could probably use a little beefing up in our election procedures manual and/or state statutes as to how things are documented and stored in an organized, consistent fashion in boxes in case other audits are done in the future. I can find no election procedures manual directives or state law that says you have to put them in the boxes in this specific way, but that may be something that we need to look at.

Karen Fann: (16:10)
Anything else that you want to add at this point? We’ll have a chance to come back with you if you do have.

The only other thing, I guess, that I was personally involved in, not the only other thing, but an other thing that I was called to, one of the counting tables, is when we started opening duplicate ballots. There was almost one whole pallet of ballots that were called original slash damaged ballots sent to duplication. And then there was quite a few boxes, mostly on one pallet, but scattered amongst three or four other pallets, where the duplicates were supposedly there for the duplicates that were sent to duplication.

So if a ballot gets damaged and has to be sent to duplication, there is a very specific process in the election procedures manual, chapter 10, Roman numeral two, section three, procedures for duplicating a ballot. This stems precisely from ARS 16, 621 A, which says that they are to record an identical serial number on both the original and duplicate ballot, including spoiled duplicates. This ties the ballots together and creates a paper trail as required by the statute ARS 16, 621 A.

We found, I would have to say, thousands of duplicate ballots where those serial numbers are not on them. And so, it has created great difficulty to try to match up a duplicated ballot to its duplicate. And on thousands of the ones that a serial number was put on, they were put on by a, I guess you would call it, a dot matrix printer, very, very light. And unfortunately, they ended up being printed on the ballot on the top, usually top right part of the ballot, where the black square alignment marks are on the ballot, and so if a very light gray number is printed on little black boxes that are a quarter of an inch apart, you see one number and you miss the next and you see the number and you miss two.

It made for some very difficult matching of duplicated ballots and they’re duplicates, which, as I just read to you, one of the most important things you need to do when you duplicate ballots is reflect a serial number on both the duplicate and the duplicated, so that you can do two main things. One, make sure you have one for every one of the other, and two, make sure that you can look at the votes reflected on the duplicated ballot, and make sure that they reflected those correctly from the ballot that was damaged and was duplicated. So without those serial numbers, it gets very difficult. We found some nice, bright red serial numbers on many, but some very difficult-to-deal-with light black numbers on many others and none whatsoever on many others.

Karen Fann: (19:29)
If the corresponding numbers aren’t on there, how would whether it was duplicated once or 10 times?

You wouldn’t?

Karen Fann: (19:35)
Okay. Thank you.

Unless you meticulously kept track of the total number in each group, which I think Doug’s organization has done to see if the totals match, at least.

Karen Fann: (19:51)
You said that when we return these ballots, I am hoping that you guys, and we’ll help, make sure that they are given to the Arizona county treasurer. It’s my understanding that-

Maricopa County treasurer.

Karen Fann: (20:04)
Right, the Maricopa County treasurer. It’s my understanding that our statutes say that they’re supposed to be turned over to the treasurer at a certain point, and they were not. Are you aware of that as well?

Yes.

Karen Fann: (20:20)
Yes. Okay. When we return those, you mentioned that you were going to put tamper-evidence tape with a numbered seal on that. You also mentioned that everything you have done you have put back in order, and you mentioned everything has been filmed with all of these petabytes of stuff. So if anybody opens those boxes, we will know that somebody has opened those boxes and everything that you have just said, and if anybody needs to see that themselves, upon court order or whatever, we will be able to not only view that on film, video, but we could also go to the physical evidence and unbreak that seal, hopefully under court order, and go directly to exactly where you have said this has happened. Is that correct?

Yes.

Karen Fann: (21:14)
Great. Thank you. Okay, Mr. Petersen, Senator Petersen, I’ll turn this over to you.

Thank you. Yeah, Madam President, I’d like to jump into the cybersecurity, the digital evidence, if I may, if that’s okay with you. Mr. Cotton, what, so far, has been completed for the digital forensics portion of the audit?

Mr. Cotton: (21:42)
So we have completed the forensics acquisition of all of the items that Mr. Bennett just mentioned, that were provided to us by the county. I’d like to take a moment to walk through that process a bit to help everyone understand the forensics fidelity and the standard of care that we took to ensure that there were zero, and I repeat, zero changes to any of the original media devices.

Okay. Go ahead.

Mr. Cotton: (22:12)
So as part of the imaging process, first of all, chain of custody is extremely important, as we previously discussed, with the ballots. That standard of care also was transferred into the digital imaging and preservation of that data. So upon receiving each of these digital devices, we filled out an evidence acquisition form that started the initial chain of custody for the acquisition within the digital forensics and analysis piece of this audit. On that forum, we carefully recorded all of the serial numbers. We then leveraged what is known in the industry as a write block device. Now, a write block device is used and, as a matter of fact-

How is right spelled?

Mr. Cotton: (23:07)
So write, W-R-I-T-E.

Write, as in write. Okay.

Mr. Cotton: (23:10)
As in write.

Okay.

Mr. Cotton: (23:11)
And the sole purpose of this device is to prevent any modification of the original evidence that is plugged into it. Okay? This is accepted within our judicial system as the methodology needed to be utilized for anything to be admitted into court and to maintain that standard of care for the digital forensics chain of custody.

Mr. Cotton: (23:38)
As part of that acquisition, we then took a bit for bit copy, forensics copy, of each of the digital devices. At the end of that copy, we applied what is known as a MD5, a machine digest five, a hash value, to that acquisition. Now, when you think about that, it is a digital fingerprint of that evidence that we just acquired. If anyone changes even one bit of data within that evidence file, it will totally invalidate the MD5 and create a totally new signature on that particular piece of evidence. Okay?

Mr. Cotton: (24:22)
So for every device that Mr. Bennett mentioned that we imaged, we performed that exact process. We know who imaged it. We know when they imaged it, we know where it was imaged to, and that is a controlled item within our evidence and chain of custody handling a procedure. We then took those digital copies and we maintained one of those digital copies as primary evidence.

Mr. Cotton: (24:52)
And so we locked that away in a U.S. government GSA-approved safe to ensure that no one would access it and that it is there as the primary evidence for the basis of our analysis. We then created examination copies that we have used for the determination of the cybersecurity status and other aspects of those systems. Okay? So I must reiterate, not a single bit of data was ever changed on any device that came into our possession.

So, Madam President, Mr. Cotton, are you saying that the machines were not damaged or tampered with in any way where they couldn’t be used again? And if they were, people could check and see whether that was done?

Mr. Cotton: (25:58)
Senator, that is correct. So we have exactly a bit-for-bit image of these systems as we receive them. Okay? We did not modify, we did not change any chips, we did not access anything other than the hard drives for those systems. So if there were any changes to the original equipment, those had to have occurred within the custody of the Maricopa County board of supervisors, not with the custody of the auditors.

Okay.

Karen Fann: (26:38)
Mr. Peterson, Senator Petersen, may I ask a question?

Yeah, of course.

Karen Fann: (26:42)
Well, we’re trying to keep this official. Mr. Cotton, recently in the news, I don’t know if you have heard or not, but our secretary of state, Katie Hobbs made a statement a few weeks ago that she would not allow these machines to be used again because she could not verify that we had not, you, not us, you had tampered …

Karen Fann: (27:03)
… that we had not, you, not us, you had tampered with them. I don’t understand that statement because it is, my understanding that when election machines, no matter whose machines they are, that election machines are supposed to be calibrated and certified before any election goes on, to make sure that those machines haven’t been tampered with, that they are calibrated correctly, and I believe they do that also after an election. So I have this question, I don’t understand how can the secretary of state say that she can’t certify the machines weren’t tampered with when supposedly we have people that, certified people, that come in to certify machines aren’t tampered with, it doesn’t make sense. Could you explain that to me please?

Mr. Cotton: (27:55)
Madam President, I certainly understand your confusion. And I share that with you. I’d like to also reiterate that as part of our evidence handling procedure, we had cameras watching over our evidence storage facilities and our acquisition and replication procedures 24/7. Okay. So any form of tampering certainly would have been caught on video. However, we did not do anything of the sort that would have interfered with any of the machine configurations or any of the allegated tampering that the secretary of state has alleged.

Well, Madam President, if I may just, this is more of just, I think, a comment or a statement along with your concern here. And I think this could be something we need to look at legislatively. If we have a process, and from what I’ve heard, it’s about $8,000. The county did an audit for 8,000 or $20,000, whatever it was, to certify and make sure that machines were not tampered with. And this is also part of a process before an election. If that process doesn’t work, then, and we’re saying that is not valid because somebody doing an audit ruins that, and you can’t recertify it. It sounds like that we need to have something else. There needs to be another process that works, that you truly, maybe it’s the truly certification and verification that machines have not been tampered with process. I don’t know what it’s called, but anyways, I share your concern. I think that’s a good bullet point for us to be looking at for future legislation.

Mr. Cotton: (29:55)
If I also might add, Madam President, that position that they must replace all of the voting equipment, is at odds with the public statements that were made by the Maricopa county officials, following the two independent audits that they conducted early in this year.

Karen Fann: (30:23)
And those statements would be what?

Mr. Cotton: (30:26)
Those statements would be that they were able to go in and validate that no firmware had been changed, that there was no changes to those systems, and that the election was, in their phraseology, legitimate.

So Madam President, if I may, just continue on with some of the digital forensics questions here. Can you continue to just tell us with what you’ve received, what have you received and what has been done with what you’ve received so far?

Mr. Cotton: (30:59)
So Mr. Bennett went through the list of devices that we have received, I would add to that list that he-

Could you just repeat it real quick, just so we can kind of compartmentalize it with the digital forensics?

Mr. Cotton: (31:11)
We have received 385 tabulators. Those are the Dominion ICP2s. We have received the county EMS server, EMS, once again is the election management system. We received their server. We received physical devices correlating to the EMS workstation function, to the adjudication function. We have received 11 hard drives that contained cloned images of various other systems within the EMS ecosystem/network. Of interesting note, however, is on those 11 hard drives, which contain cloned data, they did not use a forensically secure process to image those original systems.

Mr. Cotton: (32:14)
So the dates and times on those cloned systems were altered by their cloning process. So just as an FYI. With all of the digital devices that we have received, whether in physical or digital form, we have created a forensic copy of each one of those devices, as prescribed in the procedures that I just outlined to you. We have taken those digital forensics copies and we have conducted keyword searching across them, looking for internet connections, looking for anomalous or unauthorized connections into the system. We have conducted searches looking for malware on those systems. We have also created virtual systems of those forensics images to conduct live memory analysis on those virtual systems. And that’s where we are today.

So what have we not received from the county that we were supposed to get to be able to do the forensic analysis of?

Mr. Cotton: (33:32)
I think, if I’m going to put these in order of criticality, we have not received the router configuration files. We have not received a router data. And Mr. Bennett and myself were in multiple conversations with county officials, in which they had agreed to provide that information to us. We had actually entered into a compromise with the county, in which they would provide us with virtual access to that data, in addition to providing us with splunk NetFlow data, with a time period of approximately 90 days prior to the election and 60 days after the election. And we had agreed to that. We have not received that due to a response from the county in May, stating that they would not provide that because the data would compromise law enforcement operations, and would also potentially compromise PII information of Maricopa county residents that had not already been turned over as part of the audit request.

Okay. Now, tell us the significance of us not, why do you need to look at the routers, and the router data and the splunk logs that they originally told us they were going to give us, and now they’re not going to provide that, or they’re saying they won’t provide that. What’s the significance? Why do we need to look at that?

Mr. Cotton: (35:16)
Well, it’s critically important to substantiate some findings that we are seeing through the keyword searching and the processes I have already mentioned. There are a number of things that we know as a matter of fact have occurred, that we need to further take that information and validate that information. So for example, we know, through public record, public statements, that an element of the election system was actually compromised or breached during the course of the November 2020 election.

Mr. Cotton: (35:53)
It is a matter of public statement by Maricopa county, as well as legal action and law enforcement action surrounding that particular incident. The registration server that was public facing, did have unauthorized access to that, in cybersecurity terms, it was breached. We know that the county has accepted that as an unauthorized breach because they actually issued a letter to a small subset of the voters, who were affected by that breach. And they issued that in January of 2021. In that letter they did acknowledge that there was unauthorized access in November to that server. Okay. So that’s one item. The second item is, it is become readily apparent in the course of our analysis, that there are severe cybersecurity problems with the way the election management system and network was maintained. Okay.

Mr. Cotton: (37:14)
For example, if you walk into an average home computer, you will find that the antivirus definitions that protect that system from malware, have been updated within the last week. You will find that there have been system security patches set by Microsoft or by Apple, typically within the last week, Microsoft does it weekly. And you would find that that system is patched and the antivirus definitions are up to date.

Mr. Cotton: (37:53)
Sadly, that is not the case for any of the end points that we have looked at inside of the Maricopa county election management system. The last time that the antivirus was updated on these systems, was the date that the Dominion software was installed on the systems. That happens to be August of 2019. There have been no operating system updates or patches on this system since that same date. What that creates is a tremendous vulnerability to anyone who could get access through a system, such as, if for example, the registration server was serving as a jump box, in other words, it was dual networks so that it was public facing and also private facing into the election system. If someone accessed that system, they would have no difficulty at all effectively penetrating and getting a system level access at the current patch state, and antivirus state of these systems.

So Madam President, Mr. Cotton, if they were able to get access, how long would it take somebody to hack in or whatever, if they’re…

Mr. Cotton: (39:31)
The vulnerabilities that exist on these systems would take an average script kitty less than 10 minutes to get access to these systems.

Okay. So this is high vulnerability situations. So we need to get the routers. It’s clear we need to get the routers, we need, even if it’s just a report, they can scan it. They can look at it, they can do whatever they need to do to make it safe. We just need to see the traffic during this election, or during this period that you’re looking for. Now, they’ve brought up security concerns. Are these, do you believe these are valid concerns that they brought up, from sharing the router traffic or router reports, with us? Anything from the router, are these valid security concerns from your point of view?

Mr. Cotton: (40:23)
They’re not. And let me explain why. So when you think about a router, think about someone delivering the mail to your mailbox. That router is simply the mail carrier. On a standard envelope that you might mail to your mother, you’re going to put your return address, you’re going to put the address that it’s going to, and then you put that in the mailbox. The mail carrier looks at that, they know where to route that, and they will simply route that letter so it’s delivered in the mailbox of your mother. With a router it’s very similar. For each packet of data that you have, you have an address to where it’s going to, you have an address of where it came from, so that any response can come right back to that system. But what you don’t have is the actual content or the letter that’s contained in the envelope within the router itself.

Okay. So just to that point, you won’t see social security numbers or driver’s licenses, or people sensitive data on this.

Mr. Cotton: (41:41)
You will not.

Okay.

Karen Fann: (41:42)
To that point, Senator Peterson. So when we’re talking about the addresses, is this what is known as the IP addresses? Am I on the right track on this?

Mr. Cotton: (41:54)
Yes, ma’am. So it’s actually a combination of two elements. One is the IP address, which everyone’s very familiar with, but typically on the return side, you will also have, what’s known as a Mac address. And that is a unique identifier for the communicating device that actually sent the packet. So for example, if you’ve got a wireless phone, your wireless modem has a unique Mac address so that if you’re behind a home router or something like that, it will know where to deliver that return packet to.

Karen Fann: (42:32)
One of my concerns, I’m sorry.

Oh, go ahead.

Karen Fann: (42:34)
Please. When we received a letter from Sheriff Penzone, stating that we would not get the routers because of a potential security issue, the one thing that stuck in my mind, I just heard you say that there is not a valid security concern there, but just hypothetically, if for some reason they think that there’s a security concern, my question is, why would they be using the same router as our election systems, if there’s even a small remote possibility that they think that somebody could be jeopardized? Why are we sharing routers with other agencies? Why don’t they have their own personal secure router?

Mr. Cotton: (43:16)
Ma’am, I can’t answer why they shared that space. But once again, this is one of those situations where, what they’ve told the public, is drastically different than the apparent reality in response to a legal subpoena. So from a public response standpoint, Maricopa county officials have repeatedly stated that the election system was a closed system. It did not touch the internet. And by therefore, it could not have co-mingled with the data from the Sheriff’s department or the Maricopa county, other office space. The fact that they have responded back to an official subpoena with justification, that to produce that data, would compromise these other aspects of the Maricopa county network that does touch the internet, is an admission that maybe things aren’t like what they’ve told the American public.

Karen Fann: (44:22)
Thank you.

So Mr. Cotton, we’ve talked about the routers, splunk logs, again, why do we need the splunk logs? And I also want to ask about, we also, you mentioned have not received the passwords, the tokens. Why do we need those things?

Mr. Cotton: (44:52)
If I can address the first part of that question, Senator Peterson. So part of the challenge that we have, is that specifically, I’ll use the EMS server as an example. The windows security log or the windows security event log, some people would call that, actually only goes back to the 5th of February of 2021. Now there are a couple of things-

So after the election.

Mr. Cotton: (45:27)
After the election. So we would need this data to cover and to help fill in the blanks back to the election. But more importantly, there’s an aspect to that security log that bears consideration. And so the security log was set to retain approximately 20 megabytes of data. And the way that works is, it operates on a first, in first out, principle. As soon as you hit a 20 megabytes of data, the oldest entry gets deleted and the next, and so it just continually rolls like that to maintain the constraints on that data space.

Mr. Cotton: (46:20)
When we took a look at this, we found, specifically in March, and I believe it was March 11th, there were 37,646 queries for a blank password on a system that only contained eight accounts. Now, given the short time period that that happened, that clearly was a script that was executed by the user EMS admin.

Mr. Cotton: (47:08)
What we don’t have, because of the lack of logs and the condition of that system, is where did that script come from? So by leveraging the router information and by leveraging the splunk information, I should be able to determine who was using the EMS admin account at that particular time, and where did that originate from?

So just to be clear on this, were there 37,000 log-ins on one day? Is that what you’re saying? How would you identify this?

Mr. Cotton: (47:47)
When you’re doing a security check on a system, it’s very common for you to look for passwords that have a no password or a blank password, right? And so you can query the device itself to let you know whether or not there are any accounts that have a blank password on them.

So it’s a query. I’m just looking for what you’re calling this. 37,000-

Mr. Cotton: (48:13)
It’s a query.

So there’s 37,000 queries, and they were done on this one day. And the reason we need the splunk logs is because those 37,000 queries churned the data so that you can only look back to February 5th, or what was the date?

Mr. Cotton: (48:36)
February 5th.

February 5th. And obviously, we need to go back to the election. We need to be looking at the election day, prior to the election day, looking at access. So we don’t have that, what we were given, we don’t have that window, which is the critical window we need to look at.

Mr. Cotton: (48:56)
That is correct.

Okay. So obviously we need the routers, or just the data, or just, how about we just start with March 11th, the 37,000 queries. I mean, give us something here. What about the machines, the Dominion machines, the tokens for the machines? Why do we need those?

Mr. Cotton: (49:22)
So within the administrative functions of the Dominion ICPs, you have basically a couple of different levels or roles, as they call them, inside of the EMS software. The current state, so we have completely recreated a virtual EMS. I am able to burn these little fobs or ibutton keys, as they really are. And those give me security access at whatever role I’m permitted to burn inside of the EMS. Currently, inside of the EMS construct, there’s only one role, and that is of poll worker. Within the Dominion ICPs, poll workers, as a role, even if you give them admin access, do not get access to the configuration of that device itself. So on each of these ICPs, and these are ICP2s, we know that there are two NIC cards. We know that they can be configured with wireless modems.

Mr. Cotton: (50:39)
We know that they can be configured with cellular modems. So the purpose of requiring this information, is to get a configuration for each of those systems that shows how they were configured, what is enabled, what is not enabled. And more importantly, I can get the Mac addresses for each of those devices. Now, if you recall our previous conversation on the router data, where you have an IP address, you have a Mac address, it then becomes a very simple process to say, did any of these Mac addresses ever touch the internet? It’s very simple.

So it sounds like, Maricopa county does not have access to this. Dominion only has access to this. Why is it important for Maricopa county to be able to have access to this?

Mr. Cotton: (51:38)
Well, your assumption appears to be true. So when we asked them for the administration level of fobs, we received a response back, to the same, within the same letter as the router data, saying that they had provided us everything that they have access to. And the inference obviously there, is that only the contract Dominion employees, contracted by Maricopa county, have access to configure those ICPs and to get access to the configuration or technician aspects of those ICPs.

Mr. Cotton: (52:20)
Now, where this becomes important is that, if you, as a county, cannot validate the configuration independently of the vendor, then how do you ever validate a election system that it’s safe to vote? Because you don’t know, as a county, that you’re responsible to validate and certify those systems prior to a vote. So I would suggest, that at this point, based on the evidence that has been provided to me, that the Maricopa county officials do not have the ability to independently verify the configurations of their systems without using Dominion employees.

Oh, so Madam President, again, I think this is just kind of another bullet point for us, something for future legislation. We always want to make sure, I think, that, and if this is the case, this is just with what we’ve been able to see so far, perhaps, and we’d love to hear from the county on whether they can, if they do have access, then great. If the county has, can get this administrative access, where they can look at the tabulators, we want to make sure that the state, the county, can always be at a higher level of administration than these third parties that we’re using. So that it’s us…

… Parties that we’re using it so that it’s us doing the elections, it’s the county doing the election. This I think is another thing that we need to make sure that we address, either now we need to get a response of if they do have access to this and they can audit this themselves and control this or this is something that we need to make sure in the future that we are able to do.

Karen Fann: (54:30)
A question. And I don’t know that you have an answer but I’m going to throw it out and maybe we can put it on our list of questions to ask. Originally, the board of supervisors had agreed to do a forensic audit with us, which is what we wanted. We did not want the ballots moved, we would not want the machines moved. And that’s the path I thought we were going on until they went into an executive session and said they were going to do their own audits using two companies that are authorized to certify the machines. And so they did these two audits. One was Pro V&V one was…

Mr. Cotton: (55:05)
SLI.

Karen Fann: (55:06)
SLI, thank you. Those two. If they had done the audit as Senator Peterson said, why did they not come up with this information and report it as well? I don’t know that you would have an answer, just it’s…

He probably can’t speak.

Mr. Cotton: (55:22)
I can’t speak to what their scoping was. I would suspect that a full cybersecurity audit was not part of their scoping, that’s what I would surmise. But the reports that were produced by both of those audit firms clearly did not address the cybersecurity aspects that we have found. And there’s another finding that you would think that any audit firm would be looking at and that is commonality of passwords.

Mr. Cotton: (55:52)
What we have found is that for all the administrative accounts, no matter what the name of that account was, they shared the same password. Now, that password appears to have been established at the same time that the Dominion software was installed on these systems, which August of 2019, and does not appear to have been changed during that entire time period. So once again-

And so to that point, what would be the recommendations with… What’s the industry standard with passwords and recommendations with password best practices with that?

Mr. Cotton: (56:38)
Well, first and foremost, a shared password eliminates one of the very critical items of cybersecurity, and that is, we cannot attribute the actions of a given username back to an individual. Because these were all shared passwords literally anyone who had any access to any admin account could have been able to use any other admin account. So accountability is out the window from an individual aspect. From a cybersecurity standpoint-

Now, just to be clear, when we’re talking about these passwords, these are the passwords for the server, this is not the machine admin password you’re talking. Which passwords are you talking about?

Mr. Cotton: (57:26)
We’re talking about the EMS admin password, we’re talking about the adjudication admin password.

So this is not the Dominion machine…

Doug Logan: (57:34)
Operating system password.

This is the EMS, meaning the election servers not the Dominion tabulating machine?

Mr. Cotton: (57:44)
There is a correlation between the Dominion Windows accounts and the Dominion functions, so you can’t separate the two. In other words, when you log into the EMS server, for example, you will enter in the EMS admin username and then you will enter in a password. That provides you single sign on access into all of the functions of the EMS software, so these two things are tied together.

Right. But what I’m trying to make that’s clear for people to understand is that you do have the admin password for the server, correct?

Mr. Cotton: (58:27)
Correct.

But you don’t have the admin password for the tokens for the Dominion machines.

Mr. Cotton: (58:35)
Well, a little bit of a correction there. I do have the admin passwords, what I don’t have is the authentication fob because it requires both of those items. So we were able to recover the admin passwords used for the tabulators but because we don’t have the ability to burn that iButton fobs-

It’s like an additional layer of security-

Mr. Cotton: (58:58)
Correct, a multi-factor authentication into that tabulator.

And it appears that only Dominion has that.

Mr. Cotton: (59:05)
Correct.

From what we know so far.

Mr. Cotton: (59:07)
Correct.

From the information we have so far. Okay. Thank you, Madam-

Karen Fann: (59:13)
Great. Anything else that you wanted to add that this not covered at this point?

Mr. Cotton: (59:16)
Well, I think that there is one other critical aspect of why I need the Splunk logs. So anonymous logins are a normal part of Windows activity. If you’ve ever accessed a shared file in Windows, that’s called an SMB share. And as part of that request there will be an anonymous log-on action to the server that has the share file on it and then that is followed immediately by the authentication of the user that is requesting access.

Mr. Cotton: (59:58)
As part of the course of that normal anonymous action, the Windows logs will actually record the username that is requesting that action. It will record the IP address that is originating the request and it will record the host name of that originating client. What we are seeing here and what does require additional correlation with NetFlow data is we’re seeing anonymous log ins at the system level that do not follow that pattern of normal Windows behavior and so we need to have that additional data to validate what that activity is.

Karen Fann: (01:00:49)
Thank you. All right, ready to move on to… Sorry, this is tedious but there’s a lot of information that we’re trying to absorb and understand here so bear with us, please. I’m going to go back to Mr. Logan at this part. Mr. Logan, we would like you to help us address the issues that you were having with the hand counting of ballots, the paper examination, and then we’ll move into voter data analysis and envelope, so let’s start with the hand count of ballots and where we’re at on that.

Doug Logan: (01:01:21)
Yeah, so there’s been a lot of questions I know about the timeline and why some things have taken a little bit longer than expected. I have to say that every audit I’ve ever been a part of usually whatever the organization is that you’re working with is available to answer questions, to run ideas by, and to get some feedback and findings. And one of the more difficult things with this audit is to not have that feedback loop and not be able to ask questions on things that could be solved very quickly.

From Maricopa County.

Correct, from Maricopa County. Specifically, we’ve run into with… I think convenient was stating earlier about some of the duplicated ballots. Specifically we’ve had a lot of problems with the way that those were recorded and the way they received over. I think probably the best way to do this is go over, I think it’s actually Exhibit B. If you can put that up on the screen. Actually, can you zoom in so people can see that a little better?

Okay. What we have here on the top of the screen is the original manifest on one of the boxes. It helped duplicate stuff in there. You can see all the numbers, the MC17416, and so forth. That was what was stated was given to us. If you take a look at the table below it, and actually if you can just zoom in a little more and maybe make it a little more clear. And we don’t need the top part anymore, you can scroll down. On the actual manifest, the far left column has the manifest batch number and then if you look right next to it there’s actually what the observed batch number was within it.

You’ll notice that the first few ones are actually correct, but then you get down to MC171634, which is about halfway down, you notice that it’s naming convention is as if it is in the original but it is actually a duplicate. And just to step back a little bit to give a little bit of clarity, anytime there is a ballot that can’t be run through the tabulator, whether that’s because it’s damaged, whether it’s because of something like a braille ballot or something like UOCAVA, any of the other’s forms they actually have to create duplicates that they then run through the tabulators.

Warren Petersen: (01:03:54)
Can you tell us what UOCAVA stands for, please?

Ken Bennett: (01:03:58)
Uniformed Overseas Citizen Absentee Voting Act.

Okay, thank you.

Thank you. In any case, you have the original ballots and then you have the duplicates and there was roughly 50,000 total so there’s 25,000 originals and roughly 25,000 duplicates, assuming that they all matched up with that. So in order to make sure that things are not double-counted and things are attributed properly it’s very important to be able to match them up. In fact, this is why their statute, it says there’s supposed to be a serial number on the original, that you can match up with the serial number on the actual duplicate so you know one for one that they were counted properly. And from an audit standpoint we want to make sure that the original is exactly the same as the duplicate, so it’s important to us to make sure that we can match those.

When we receive a manifest, if states that stuffs were originals when we actually start looking through them we realize that they’re duplicates. It creates things that are a lot more complicated and difficult for us. These are some of the examples and here you’ll see that there’s a whole bunch of things that were wrong where we stated there’s several things on there that were not listed on the manifest that were actually in the box. There’s one of them that was actually on the box that wasn’t really observed with… There was one manifest that wasn’t actually found in the box. We had within the braille ballot boxes labeled as braille ballot, we had other types of ballots that were found in there that were not expected to be in there so it makes sense much more difficult. And moving on to… Actually if you scroll down you should see Exhibit C.

You might need to speak into the mic a little more-

I’m sorry.

Mr. Logan.

What we have here is we actually took a few examples out where serial numbers really should be unique. There should be one original ballot with a serial number and one ballot which is the duplicate of it with the same serial number. When you take a look at this chart you’ll see the first column is the box ID, that’s the box that it came out of. And then you take a look at the next column it’ll tell you what the type is. Dupe means it’s a duplicate, DSD it means that is actually the original ballot. And you’ll notice that the last column has a serial number but they’re in groups of three which shouldn’t really happen. So we have two original ballots that have the same exact serial number and we have only one that was duplicated from it. And these are just a handful of examples that we have that go through it.

And so we have a whole bunch of ballots that also don’t have any serial number on them so it’s quite possible that for the second one with the same serial number, there’s another one that matches up with it that literally doesn’t have a serial number on it. But it creates a lot of time and difficulty in resolving these issues when it was not done in a manner where it’s easy to match up. And really according to my understanding of what statute is and what statute states, I’m not an attorney but Ken Bennett can probably speak a lot more-

I’m not one either.

But you know statutes really well.

Just to be clear on this matter, but I think this is some of the delay, I guess, some of why it took so long to put these all together or trying to assimilate this because it’s, you’ve got this kind of confusion and…

Correct-

And with Maricopa County refusing to answer any questions as to help us understand what you did here.

And there may be some explanation as to how and why serial numbers get duplicated. It doesn’t seem like a good practice anyway that you look at it, but if it’s well-documented and there’s some easy way for things to be audited, then you’re in good shape. But that’s one of the problems we’ve run into, is that so many of the issues we’ve encountered through things makes it very difficult, if not impossible, in order to audit things. It’s our goal in going through there to give some irrefutable proof to make sure that we know that things were solid or that they’re not and these types of problems make it very difficult for us to be able to say absolutely on certain aspects.

Continue. Is that everything on the hand count ballots?

I believe that’s everything on the hand count ballots.

Okay. Would you like to move on to paper examination issues that you need answers to?

Yes, please. Okay. So we utilized a kinematic artifact detection in order to take a look at all of the ballots in order process to figure out how they work and how they function. And if we can actually get Exhibit D up, please. Go ahead and scroll down on. Ever since… I had mislabeled as E but it’s actually D. Ballots are designed as such so that when you fill out one side of the ballot it’s very important that if you fill out a bubble it in does happen to bleed through, it doesn’t do so in a manner that would actually impact the way the vote is cast, so ballots are designed in the manner to make that.

In order to make sure they’re actually aligned, on one side of the ballot there is the circle and Xs that you see in this, and on the other side of the ballot there’s actually printed a cross. And when the ballot is properly aligned that cross will actually line up perfectly if you backlight it because the cross will actually line up perfectly. And that’s actually the image you’re looking at. We have a back lit image of a ballot and you’re seeing in the front side of the circle and the cross in the inside, it’s very similar to say, like a gun sight.

Now, if you look carefully at that top image you’ll ask because we notice that it’s a little bit offset. Based on standards that’s actually the maximum it’s supposed to be offset for ballot to be viewed as valid and processed so there aren’t any issues with it. If you take a look at that image down at the bottom you’ll notice that it’s 1900%. This is actually something from an actual ballot out of Maricopa County that we ran into where it was out of calibration.

And just to get a little bit more perspective, if we scroll down in the PDF to the next section, we actually have two batches here. We’re still running this process through all the batches but this graphic, you want to be in the bullseye. The bullseye in the center is actually the check marks on how offset those things should be. And just to be specific, from a calibration standpoint I think it’s supposed to be within 100% in it and we made our box about 300% from the way this is calibrating. You’ll see that the average has actually taken the top right-hand corner of the average on this is actually 1024% and the worst ballot was 3200%. You can see there’s two different batches that we have in here as examples. Now-

Madam President, Mr. Logan. So what happens to these ballots? If this happens, if they’re off, they’re reading off then what’s the result? How is this dealt with in an election?

If you actually go to the next exhibit. We’ll talk through that here. If they’re offset what it means is if it bleeds through it can potentially cause an overload, it can potentially cause you to vote for someone that you didn’t intend to vote for and so forth, because the bleed of one side’s bubble can go of course to the other side and within the area it would be categorized for the other bubble.

Now, specifically, we should not have had problems with bleed-through. If you scroll down a little bit farther and zooming where we’ve got the red box. This is actually a newsletter that was put out by Maricopa County that talks about the paper types that are utilized, and specifically they state that they use VoteSecure paper. Now, if VoteSecure paper is utilized, it’s actually a thick paper, it has a special coding on it that helps make sure there isn’t bleed-through. And so it would help ensure that bleed-through wouldn’t be a problem even if things happened to be not perfectly calibrated.

But if you scroll down to the next page, we’re going to give you an example of an actual ballot where you can see the bleed-through that goes through. And you can see that the bleed-through is actually very, very close to where votes are cast. Now, as part of additional analysis we’re going to try to get a better idea as to when or if this did impact votes and did impact values, that does require additional analysis in here, but specifically this is an indication of problems that could cause an overload situation or could cause votes to be cast for a different candidate than intended.

Let me clarify something, I want to make sure I get this straight because this was an issue early on right after the election. Maricopa County, you’re saying on their website said that they only use secure paper which does not allow for bleed-through, correct?

Correct. There’s actually a newsletter from them, yes.

Okay, their newsletter. And so if that is correct there is no way there would be bleed-through as what we’re seeing on the ballots?

Yeah. Based on our discussions to paper experts they specifically state that that paper is thick enough that it wouldn’t bleed-through and we are seeing a lot of very thin paper stock being utilized, especially on election day.

Okay. Does this happen with just magic markers or does it happen with ballpoint pens? Do you know that answer? I don’t want to put you on the spot but-

I would expect that with Sharpies the bleed-through would be greater, but it could potentially happen to a lighter amount with regular ballpoint pens as well.

Okay. So there was a… In fact it was dubbed by some of the media Sharpie Gate at the very beginning. And the Maricopa elections people came back and said, “No, if there was any bleed-through it would not have affected other votes because it’s not lined up. Are you saying that’s true or not true?

We would need more analysis. In the final report we’ll be able to tell you more clearly whether this impact things or not, but definitely if there was an offset that was in the right direction, the right way, and there was bleed-through, it could definitely impact the ballot.

Okay. One more question. I’m going back to this one on this face right here. The pictures you had, what would cause that X or that mark to be out of that far of alignment? What causes that?

If the printer’s not properly calibrated, when it prints the second side of the page it’s actually offset so it’s not perfectly aligned. So it could be a number of different mints and probably printer calibration would be the key thing for that.

Will this be printer calibration with the people that printed the ballots, the main ballots and are there printers at the voting that they can print-

Yeah.

… So it could be any of those printers?

Most of the firm owners and most of the ballots are printed at run back we can confirm or run back but were pretty much spot on, but there’s a lot of ballot on-demands that are printed at the actual voting centers and those had large offsets.

Do we know how many ballots on-demand there were or not? Is there any records?

It’d be roughly 168,000, which would be the election day ballots.

Those were ballots on-demand?

Yeah. We are seeing more than that where this offset occurred. And so we’re trying to drill into what printers and where and what that’s tied to.

Okay. Thank you. Okay, continue, I’m sorry to interrupt you.

I think that was everything I’ve covered.

Okay. So let me back up to the paper examination issue too. How do we verify… So Maricopa County is saying we only use four types of paper and they’re all secure and we’re saying they’re not. How do we prove that? What is the best way to get that documentation to say what the truth really is? Can you help me with that?

Yeah, certainly we can request information on the purchasing of paper that was utilized for ballots, what their quantities were, and where they were utilized. We can get information of what printers were utilized at different locations and all of that can help tie together to make more sense out of the information we have.

Great, thank you. Would you be able to make a list of that for me so that we can try and ask for that information, please?

Yes, ma’am.

Okay, great. Let’s go to what we call voter data analysis. And because this ties in directly with the canvassing, our contract, the Senate contract with you in your proposal for work, one of those items was canvassing to be able to actually verify if you found any information and the only or best way to verify it is to actually go to that person. And I’ve always used the example because I do know of a case where one house got 25 ballots in the mail and only two people live there. And so we had talked about how do we verify that and there was a question about canvassing. Department of Justice sent us a letter about four, six weeks ago and said, “We’re concerned about you actually knocking on doors that you might be voter intimidation or civil rights violation or something.”

Which I find is interesting after the White House last week said, “We’re going to knock on doors to see whether you’re vaccinated or not.” That’s a side point, just a little side point. But so we told the Department of Justice that we would postpone that indefinitely until your audit was at a point where we could even determine whether that was going to be necessary or not. Can you talk to us about that and is it going to be necessary, is it not? Go into that part for me, please?

Yeah. Based on the data we’re seeing I highly recommend we do the canvassing because it’s one way to know for sure whether some of the data we’re seeing if it’s real problems or whether it’s clerical errors of some sort. For example, we have 74,243 mail-in ballots, where there is no clear record of them being sent. And just to be clear, here in the State of Arizona there’s EV32 and EV33s. EV32 is supposed to give a record of when a mail-in ballot is sent and an EV33 is supposed to give a record of when the mail-in ballot is received. And so there should be more EV32 is more sent out than there are that are received.

Specifically with these we also we can tie them to a specific individual that was mailed to. And so we have 74,000 where we have them came back from individuals where we don’t have a clear indication that they were ever sent out to them. That could be something where documentation wasn’t done right, there was a clerical issue, there’s not proper things there, but I think when we’ve got 74,000 it merits knocking on a door and validating some of this information.

Madam President, if I may, Mr. Logan, what are you looking at or you see this where there’s 72,000 received but not 72,000 sent? What did you guys look at to come up with that?

There was information that was foyered from the county, specifically in these EV32 and EV33 forms and that is what gives an account of what was sent out and what was received back.

This is the data you received from a foyer request back from the county?

Members of our team received back, correct.

And you’re saying that the EV33, which is the number of ballots received was higher than the number of ballots.

Not seeing an equivalent EV32 to go along with EV34 or 33, I’m sorry. It keeps doing this up. We’re not seeing-

32 and 33.

32 and 33. We’re not seeing them where they match up because there should be a matchup of them. Obviously you’ve got more mail-in ballots sent out than are ever returned, but specifically these should match up with each other.

Okay.

Is there another way to get that information? How would you verify that? Is there another way to get that information. If what you have seen so far doesn’t make sense how can we verify? Is there a way to do that?

Yeah. We could request information from the U.S. Postal Service and what went through the mail system. There’s additional records about if mail-in ballots were in fact rejected and returned, that information it would be useful in sorting through some of this as well. There’s a number of different things associated with artifacts that are created with mail-in ballots, the November 7th version of the voter rolls that should have been after votes were cast but then appeared on December 4th voter rolls. And to just be clear, they show as voted in this past election but they were not in November 7th version of the file and they did show up on the December 4th version.

Okay, that sounds confusing. Is there… Give me an explanation of why that might have… I mean, obviously we’re not saying there’s fraud, we’re not saying anything else, I’m just trying to find answers. Is there…

There’s fraud. We’re not saying anything else. I’m just trying to find answers. Is there a logical explanation why that would be?

I cannot think of a logical explanation on what that would be, but it’d be a great thing to hear back from the county to see if there’s anything that we’re not thinking of.

Okay. Thank you. Continue.

So we have, from what I understand here in Arizona, originally Hobbs had requested that the registration date for voting be moved up to Election Day, and there was actually a court case that moved it back to October 15th. Based on the registration information that will be found in the voter rolls, we have 3,981 individuals who show us having voted in this election, and their data shows up in the campuses having voted in this election. However, they were registered after October 15th.

Madame President, so all of these are things that canvassing we could find out. Did they register before? Did they even vote? Or we need some more data. We need more data from the county to show they registered before that date. Something showing that they registered before October 15th, or something showing that their ballots were sent out to people where they were received. Or we need to do a canvas. We need to be doing canvasing to ask the voters themselves.

Okay, continue.

The last one I have is we have roughly 20,000, I think it was about actually closer to 18,000, who voted in the election and then showed has been removed from the voter roll soon after the election. So they were on the voter rolls, they showed as voted, and then they were removed. And there could be a good logical explanation for that, but it seems like a large number to immediately have after an election be removed. And so getting more documentation on the request remove from voter rolls, or other process to make sure that makes sense. It seems logical. In addition, again, knocking on doors and canvassing can help validate that information.

Okay. Mr. Bennett, besides knocking on doors, how would we also obtain that information? Secretary of state? Voter rolls? Maricopa County? Or knocking on doors is the only way to do it? I don’t understand.

Well, the original voting records are kept at the county level. That is shared electronically on a daily basis with the Secretary of State’s office, that keeps a statewide voter database. The Secretary of State’s office receives information from vital records and other courts and et cetera, that is then in reverse sent to the county levels to let the counties know who’s died, who’s been adjudicated in a court hearing as being incompetent, or lost their voting rights because of a felony conviction or something like that. So I guess we could look at almost daily data between the county and the Secretary of State’s office.

All right. Thank you. Continue.

That’s actually the last thing I have to cover from this section.

Okay. Envelopes, that’s an issue that we’ve been talking about. Would you like to touch on that as well?

Yeah, we’ve had an affidavit this specifically stated that when mail-in ballots were received, that so many of them were received, that the standards reduced every time. They originally talked about, there was initially 20 points of comparison on the signature. And then after some time they’re told to go to 10 points of signature, 10 points of comparison, then five, and then eventually they were just told to let every single mail-in ballot through. So we think it’s important, understand what the course of our settlement, the only thing we can look at is blank signatures, but we think it’s important to get the mail-in ballot images and see how many, if any, blank signatures came through, because that could have a material impact on the election.

Okay. Do we not have those images of the envelopes?

We do not have those images. Maricopa County has stated that they provided us with images of the envelopes, but specifically the folder they pull it into in a specific drive has to do with voter registration details. It does not appear to have anything to do with the receiving of ballots. And I believe that, Bennett can tell you more about his interchanges with them, but specifically we asked them, “So are you saying that in that folder, we should have the envelopes that were utilized for ballots to be delivered in this past election?” And the answer was basically, if there’s envelopes in that folder, and it did not clearly answer our question.

So Mr. Bennett, when you asked them or advised them that maybe they’re mistaken, they’re not here, could you send it again, what was said?

I would simply recommend, Madam President, that they’d be re- subpoenaed, as almost maybe a separate item and on a separate device, and it’s not co-mingled with other folders or anything else.

Her question is what has been their response, when you ask them, we need the images of the ballots.

Envelopes.

I’m sorry. We need the images of the envelopes that were mailed. They said they gave us a file. It’s not on the file. When you ask, you tell them we don’t have those. What is the response? What has the response been to you?

It’s on the Lacy five terabyte hard drive in a affidavit’s folder, that’s 1.83 terabytes big, and we keep looking for it and don’t find it.

Mr. Cotton: (01:26:53)
If I might add, I did an extensive forensic search for the mail-in ballots. The only images that are contained on the referenced Lacy drive are the original voter registration affidavits. Nothing to do with mail-in ballots.

Thank you. Okay. So we will put that on the list of things to ask for. All right. So that brings us right into that list. Mr. Petersen, I’m going to let you take over at this point.

Well, I think Madam President, you and I just talked about… So you’ve done a good job of letting us know what we’ve done, what’s completed so far. We’ve heard a few things that were missing. The president and I would like to know if you can tell us, if you can kind of summarize or go through, tell us what do you guys need based off of what you’ve learned so far, to have a complete forensic audit where we can have a complete and final report. So if you can share with us, what are those things that you would need to do that?

I think one of the key things that Mr. Cotton has talked about is we really need the splunk logs in order to validate there was not any remote access to those systems in order to confirm any type of remote connectivity. And we requested [crosstalk 01:28:33]

We covered that. I mean, anything that hasn’t been mentioned already in the hearing, because I believe the president and I have written all those things down. Is there anything that we haven’t brought up that you would need to make this where do you feel like it’s a complete audit?

Yeah. So specifically when we talk about those changes to the voter rolls, we talked about, and there’s additional things we’ve seen that have changed in voter rolls over time that should not change. I think it would be very helpful if we could get a full backup copy of the database of voter rolls, specifically with information about who it was that made changes and when, and IP addresses and those details, so we can drill into why it is that some of these changes have taken place.

I think we’ve talked about chain of custody already. That’s something that’s extremely important for us to validate the chain of custody of everything from the point where the first ballot was sent, to the point where we receive stuff. We have full chain of custody of what we’ve covered while it’s been in our custody, but we need to know of it prior to that.

Okay.

So we understand that there may be some systems associated with the duplication of ballots that we have not forensically looked at. And as we’ve seen problems with duplication, if we’re able to have access to those, we believe it would very valuable in seeing what might be going on.

So what do you mean? Specifically, what are you looking for there?

Well, there’s some software, I believe it’s called Novus, that’s used as part of the duplication process. There was actually a court case, I believe it was ward via Jackson, where it was discovered that some of that duplication was not properly attributing results for the candidate the original had. And so being able to forensically look at that information would be helpful. And based on some analysis that Mr. Cotton has done, he does not see that within any of the data sets that we currently have. And so the question is whether the original subpoena was worded as such that we should have received that, or whether this is something that needs to be in a new request.

Okay. Anything else?

So any reports associated with the breach that is known about the voter rolls with Maricopa County, that again will help with investigation that Mr. Cotton is putting together.

To be clear, you’re talking about the breach that happened in the Maricopa County, sent letters out to the voters and saying, “Please be aware our system’s been hacked or breached, and we believe none of your personal information has been disclosed.” That letter, that breach?

Correct.

Okay.

There’s been minimal public information available about that. And any internal reports on what was discovered, the levels of the breach, and how far, would be very helpful in our analysis as to whether the voting systems were impacted this election cycle.

You weren’t here at the time. I don’t know if you know Mr. Bennet, do you remember, is this the same breach as the one where the FBI raided that house?

I don’t know.

Doug is nodding.

I believe so.

Mr. Sullivan, okay.

Mr. Cotton, I don’t know if you want to chime in.

Mr. Cotton: (01:31:48)
I believe that to be the same.

Okay. Thank you.

So specifically, we’d like to request all portable media or external hard drives that contain election definitions, election results, backups, or similar data. We know from photos that we’ve seen from Emtek, that there were at least three orange drives of which we received one of them. And reviewing the wording of the subpoena, portable media and external drives may not have been included. If you’re trying to take a very narrow view of what we requested, we believe there’ll be backups and other information that will be helpful in our analysis on those.

Okay. So you need us to subpoena the two missing orange drives?

Or any portable drives.

I think if there any portable media or external drives that have not been given prior subpoenas, that are associated with election specifically. We don’t need any of the information we’ve already seen. So most of this stuff we’ve put caveats that we don’t need things we already received. As we’ve heard the report that the election department shares a network with the sheriff’s department, it’d be very helpful to have the network diagram to show how that is. And from our analysis standpoint, it’ll make it easier for Mr. Cotton to hone in on what happened, and again, to look at things. I think we already talked about the backups of collection management data.

Digital copies of all versions of policies and procedures utilized, associated with the election would be helpful. We’ve received verbal reports from a number of people that work for Maricopa County that indicate that some of the things we’ve seen don’t actually comply with Maricopa County’s policies and procedures. But without a copy of those, it’s difficult for us to validate those. And we want to make sure that any finding we put into our report is something that would be irrefutable, and we have the hard evidence to back it up. So given these policies and procedures would be helpful in doing so

Question, if I might. Question, why would those not be public record and already produced somewhere, if they’re election procedures?

Well, some levels of them are public and are available. But when I looked into specifically trying to see some of the ballot storage requirements and how they should be stored specifically as an example, there was not very detailed information. And usually you have guidance from a state, and then within a county they’ll have very specific their interpretation of how they execute it. It’s one of the reasons why it’s so valuable with an audit to be able to have conversations with people, because there’s things they do in Maricopa County, they don’t do that way anywhere else in the country. And not all those are necessarily wrong. It’s not about right or wrong. It’s just different. So getting their policies and procedures so we know them and we’re aware of them is something that’s helpful. And some of that information, they did send over with the original subpoenas, but there’s additional. Like I said, when I went through them, there’s enough things that we ran through that I couldn’t find specific documentation on, that we were told they had specific guidance on, and we’d like copies of that.

Okay. So through inferences, they’re told they know how to do this. Well, how do we know how to do this? It’s not in the procedure manuals. We need where they’re getting this guidance and training.

Correct. And most governmental organizations have very clear and very precise policies and procedures for pretty much everything that’s done, and so it should be something that’s easy to procure. So we mentioned before about the blue sheets. Since we received these through another party, we’d like to specifically subpoena them so we know that we have the official copies of them. They call them the Tabulation Logs. That was the official name that they utilized them. And so that’s again, just to make sure that what we have is valid and real. We have no reason to expect that it’s not, but it’s just good to get it officially. Tied in with some of the things we ran into on the voter rolls, records of all mailed out ballots, everything that’s available, as far as what’s real mailed out and what was rejected, and validation that they were destroyed, if they were rejected and came back. We had a lot of things in here that are specific to that, but for the brevity we’ll…

So we’d like copies of all files transmitted for the purpose of duplicating damaged ballots or alternate format ballots, specifically to help us trace some of this information to make sure everything matches up and that it followed appropriately, because for things to be printed by a printer at [inaudible 01:36:20] on duplicate ballots, they had to send a request over to them of some format and some data, and we’d like to be able to match that up with everything that we have.

We talked about the records of all paper distributed to vote centers and so forth. So additional information associated with adjudication of ballots would be helpful as we do our analysis on those and make sure that that conforms with expectations. That votes were cast over as far as what the process was, who was involved in it, and how they validated things with that. Specifically, we’d like information about the total count of all ballots sent to you [inaudible 01:37:00] eligible voters, how they were sent, and how they were received, because there’s a number of different ways those votes can be received back. And we have some. Some of the numbers with [inaudible 01:37:14] seem a little off, seem a little anomalous, and we’d like to get more documentation to make sure that if there’s any anomalies that merit going to a report, that we have the information to know whether it belongs or doesn’t. I think that’s pretty much everything here, if we’re talking about things generically. There’s more specifics that I have listed.

Okay. Do you have more questions?

I don’t at this point. I think I may have to circle back with them and to get this list. I won’t be able to make heads or tails out of my chicken scratch in there. I’ll get it [inaudible 01:38:00]

So I think, if you don’t have any questions, Madam President, I don’t have any more questions. Maybe just some closing statements here. Just back to what you said about working together, it is unfortunate that the county has been recalcitrant. That doesn’t breed trust. It slows things down. It makes things difficult. We’d like to work together with them. We’d like to be able to get answers ti questions, and we’d like to get everything we need to finish the audit, more than anything. Obviously, some of these things they could probably answer. Some of these procedural things, working together we could just get answers to. But I think there’s some really important things that have been brought up today that we need to get, if we want to have a complete, full forensic audit. If we don’t get them, it will be an incomplete report. It will be an incomplete audit. And that’s what the findings will reflect.

So I think, in addition to what he’s mentioned in additional things, we’ve got to get the chain of custody. We have to get the routers, or reports. It’s safe. Experts say it’s safe. Limit the report to what we’re asking for or what we’re needing. Put it on paper, whatever you need to do. We need to get those logs, and we need to get that report. We need to get the tokens to the machines. We need to be able to see how they were configured. And we need to hear back. We need to know for certain. The appearance is that administration resides with the third party. We need to hear back whether that’s the case or not. We need to know. And what we need to do in the future is we need to make sure that administration resides with the state, administration resides with the county.

We need to get the envelopes.

Signatures.

Yeah. We need to get the envelopes for the mail-in ballots. We’ve been told we have them. It seems like somebody could either walk over and show us where that’s at, or they can bring it to us or, or give it to us. So we need to get that. And then of course, if you can send us that list. We did our best to write those things down, but we’ll get the list. And I think, from my perspective, that’s kind of the two ways this is going to go. It’ll either be an incomplete forensic audit with the findings and the things that we’ve got so far, or it will be incomplete if we don’t have those items.

Thank you. Once again, I just want to state that at no time have we ever implied or inferred that there was any intentional misdoings here in any way whatsoever. In fact, we certainly hope not. But we do need to have this information and answer these questions so that we can make sure that the voters of Arizona have solid answers as to how our election systems works, the check and balances, to know that they have a safe and secure ballot when it comes in. So we will be asking for the additional information. We’ll find out whether, I’m guessing we’re going to have to go back to court, unless Maricopa County will say, “Yes, let’s work on this together,” which I thought we would do. I do not know why Maricopa County has fought this so hard. If it’s their electoral system, I would think they would want to know that everything is operating the way it should, and I believe that our Secretary of State would feel the same way.

So we will endeavor to keep getting the answers. What did they say? The whole truth, nothing but the truth, so help me, God. And we’ll move forward and get whatever we can to help you finish this audit. So we appreciate you flying in for this. We appreciate the time that you’ve put here. And we’ll just keep moving forward.

Now, before we adjourn, I would like security to please escort these three men out for security reasons. We were instructed that we need to let them out first. And with that, thank you all very much for attending. We appreciate you being here, and we’ll just keep moving forward with as much as we can, and we’ll start giving more and more information out to everybody. So thank you. And we are adjourned.

Arizona State Senate Hearing on the 2020 Election Audit in Maricopa County July 15

Other Related Transcripts

Stay updated.