By: Siri Christiansen
November 6 2024
The passwords were leaked by a civil servant, and an investigation has not yet determined whether this was done intentionally or accidentally.
What's being claimed?
Social media posts claim that Colorado Secretary of State Jena Griswold personally leaked passwords to voting machines in the state in what some users (example archived here) have described as "a class 5 felony." The claim was picked up by large accounts such as Libs of TikTok (archived here), whose X post amassed 3.2 million views.
This comes less than a month after the former Colorado county clerk Tina Peters was sentenced to nine years in prison for a voting systems breach in 2021, where passwords appeared online after Peters helped an unauthorized person make a copy of a Dominion Voting Systems computer's hard drive. Social media users were quick to draw a comparison between Peters and Griswold, implying that the latter has been given better treatment because she is a Democrat.
"Griswold got caught exposing these same 'very confidential' passwords," Trump's chief legal defender Mike Davis wrote in an X post (archived here) where he called for Griswold to "face a criminal probe."
"You *CANNOT* jail Tina Peters and not jail Jena Griswold," another X user wrote. "You might as well disband the entire court system if judges can't apply justice equally and blindly without contriving 'Democrat exceptions.' (archived here)
Source: X/Screenshots/Modified by Logically Facts.
What happened?
On October 29, the Colorado Department of State's office released a statement explaining that "partial passwords to certain components of Colorado voting systems" had been published on the department's website in a hidden tab on a spreadsheet.
"This does not pose an immediate security threat to Colorado's elections, nor will it impact how ballots are counted," the statement continued, listing several safeguards.
"There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system. Under Colorado law, voting equipment must be stored in secure rooms that require a secure ID badge to access," the statement read. It also explained that the election equipment is under 24/7 video surveillance and that access to the room is logged and tightly regulated.
In a statement released on November 4, the Department of State disclosed that the passwords had been online since June before they were discovered on October 24. By October 31, all affected equipment had undergone password updates with support from the Governor's Office of Information Technology, Colorado Bureau of Investigation, and Colorado's dedicated County Clerks.
The statement added that a law firm had been contacted to conduct an outside investigation into the event.
Is Griswold personally responsible?
Speaking to CPR, Griswold said that the spreadsheet was posted accidentally by a civil servant who no longer works at the department.
This echoes the Department of State's initial assessment, which, in a statement, added that the spreadsheet was not created according to civil servants' required data security practices and training.
"I want to take a step back and say that secretaries of state, elected secretaries do not have access to these passwords. And it's the same thing with the statewide voter registration system. This information is held by civil servants," Griswold told CPR.
"There is no evidence that this was anything but an inadvertent error by an employee," Douglas Jones, an associate professor emeritus at the Department of Computer Science at the University of Iowa who focuses on electronic voting, told Logically Facts.
Jones said that while the secretary of state's office "made a real error" in managing security-critical information, he does not believe it to be a similar situation.
"I do not believe that there was a crime here," he said. "I suspect that some bureaucrat in the office thought (without being instructed to do so) that a hidden column in an existing spreadsheet was a good place for the BIOS passwords, and I suspect that some other bureaucrat in the office thought posting the spreadsheet was a good way to release information that the public needed."
"In contrast," Jones added, "Tina Peters actively worked with Sean Smith and Sherrona Bishop to release fairly complete disk images of the voting equipment in Mesa County, CO. (...) it was a very deliberate leak made directly with Tina's active cooperation and even instigation."
The verdict
Currently, nothing suggests that Griswold was personally responsible for leaking the passwords. Based on available public information, the passwords were leaked by a civil servant, and an investigation will determine whether this was done intentionally or accidentally. Therefore, we have rated this claim as false.