By Susan Shelley
If you want voters to have confidence in the integrity of elections, you won’t get there by pounding the table and fiercely denouncing anyone who questions the integrity of an election, especially if the people who raise questions occasionally turn out to be right.
Perhaps there’s no better example of this than the story of Konnech, an election technology provider that makes a product called Pollchief. It is “used by thousands of Election Offices across North America,” the company’s website proudly states.
Konnech markets its products to elections officials as “Election Logistics Made Easy.” The company’s pitch to potential customers: “Streamline your election management process and save your staff time and money with our industry leading software products.”
So you can imagine the company’s anger when a group called True the Vote accused Konnech of having ties to the Chinese Communist Party. On Sept. 12, Konnech sued True the Vote, its founder Catherine Engelbrecht and board member Gregg Phillips for defamation. Konnech “has no affiliation with the Chinese Communist Party whatsoever,” the company said in the lawsuit, “All of Konnech’s U.S. customer data is secured and stored exclusively on protected computers located within the United States.”
Company officials gave interviews to media outlets in which they declared that True the Vote’s “false and malicious claims” were leading to death threats against the company’s CEO, Eugene Yu, a naturalized U.S. citizen. A company spokesperson told NPR that Konnech “has been and is working closely with law enforcement at multiple levels regarding True the Vote’s claims.”
It turned out that True the Vote board member Gregg Phillips had been working with law enforcement regarding Konnech’s claims. His tip to the Los Angeles district attorney’s office led to an investigation that has now resulted in charges against Konnech’s CEO.
According to the D.A.’s office, Konnech stored the personal information of Los Angeles County poll workers on servers in China, in violation of the company’s contract with the county. Further, the complaint alleged, the company gave “superadministration” access to contractors in China who were working on “fixing” the company’s Pollchief software product.
This is “probably the largest data breach in United States history,” Los Angeles County prosecutor Eric Neff stated in the complaint. “Based on evidence recovered from a search warrant executed October 4, 2022, the District Attorney’s Office discovered that Konnech employees known and unknown sent personal identifying information of Los Angeles County election workers to third-party software developers who assisted with creating and fixing Konnech’s internal ‘PollChief’ software,” the prosecutor wrote.
How is a data breach involving one county’s poll workers possibly the largest data breach in U.S. history? A clue can be found on Konnech’s own website. Here’s the copy pitching the PollChief Election Worker Management System: “Assign, communicate, and pay your workers with one easy-to-use system,” it promises.
One thing that’s communicated to election workers is credential data. In other words, user IDs, passwords, PIN numbers, security questions and contact information may have been stored on servers and shared with third-party contractors in China.
What could a hacker in an adversarial nation do with that kind of access? Anything a credentialed election worker could do, possibly including malicious software “updates” that could mess with the tally of scanned ballots or the voter registration records.
If this is “possibly the largest data breach in U.S. history,” it may be because PollChief is used by elections offices throughout North America, as the company’s website proudly states.
Do hackers in China have election worker credentials for every one of those jurisdictions?
A lot of people want the answer to that question, and many of them are elections officials. Some have already canceled their Konnech contracts. L.A. County has not.
In the meantime, Eugene Yu has been ordered to remain in home confinement after posting a $500,000 bond. For violating the $2.9 million contract with L.A. County by failing to keep the poll worker data exclusively on servers in the U.S., Yu has been charged with conspiracy to embezzle public funds and theft by embezzlement of public funds. He’s not accused of personally stealing the money, but of misappropriating public funds and creating a “huge security issue.”
And it’s not a conspiracy theory.
This column originally appeared in the papers of the Southern California News Group PUBLISHED: October 19, 2022 at 3:14 p.m.
Write [email protected] and follow her on Twitter @Susan_Shelley