Election Vulnerability Disclosure Becomes Fodder for Dueling Conspiratorial Narratives on Telegram

• University of Michigan computer science professor J. Alex Halderman recently published an analysis where he identified a flaw in Dominion Voting Systems ballot scanners, a vulnerability that didn’t allow ballots or vote tallies to be modified but could, in some situations, compromise voter privacy.

• Online narratives around this vulnerability show how different communities — even those that seemingly share partisan goals — can take the same phenomenon and create opposing narratives around it, fitting the story to the anxieties and concerns of each respective subgroup.

• In this Election Integrity Partnership (EIP) analysis, we analyze the spread of associated narratives across multiple platforms, including Twitter and Telegram. We explore one counter-narrative that doubts the flaw’s seriousness, instead claiming that Halderman’s disclosure is part of a larger plan to prevent citizen oversight of the election process. 

This Election Integrity Partnership analysis was co-authored by Mike Caulfield and Zarine Kharazian, with contributions from Stephen Prochaska, Adiza Awwal, Damian Hodel, and Kate Starbird (University of Washington Center for an Informed Public) and Christopher Giles, Ilari Papa, Michal Skreta, and Emma Lurie (Stanford Internet Observatory).

Introduction

On Friday, October 14, University of Michigan computer science professor J. Alex Halderman published an analysis of a security flaw in the software for Dominion Voting Systems’ ballot scanners, which are used in parts of 21 states. This security flaw would not allow ballots or vote tallies to be modified, but could in some circumstances allow members of the public to identify how individual people voted, thus undermining voter privacy. Since then, two major narratives have emerged across far-right communities on mainstream and alt-tech social media. One narrative highlights this vulnerability, which is unrelated to the security of results, as yet another example of why machines (and Dominion) cannot be trusted. A second counter-narrative rejects the seriousness of the flaw, instead claiming that the release of the information about the exploit is part of a larger plan to actively prevent citizen oversight of the election process. 

In this report we analyze how competing narratives on the vulnerability spread, developed, and scaled across several platforms.

Twitter spread has been minimal and largely focused on general voting machine distrust.

Halderman posted a tweet disclosing the vulnerability and linking to his research team’s analysis on October 14, 2022. Within half an hour of Halderman’s tweet, Raheem Kassam, the editor of the National Pulse, a right-wing media outlet, posted a tweet linking to an article about the disclosure that also embedded Halderman’s tweet. In his tweet, Kassam did not clarify that the flaw does not affect results. The article he posted does include this clarification, further into the body of the article.

Following Kassam’s tweet, opinion polling and political commentary site @Rasmussen_Poll tweeted the National Pulse article, and the founder of conservative website Just The News, @jsolomonreports, tweeted out an article from his outlet also reporting on Halderman’s tweet thread. The incident did not appear to break through to other influencers on Twitter, however, remaining largely confined to those connected to these two outlets.

While some users with a small follower base tweeted about the disclosure expressing general distrust of Dominion voting machines, there was little indication of additional rumoring related to this incident on Twitter. The conversation about the disclosure itself remained largely factual on the platform, though notably it spread primarily among accounts on the right who were already mistrustful of the security of Dominion voting machines. Given this mistrust, these audiences are likely primed to interpret any such vulnerabilities, even those that do not affect results, as evidence of a much broader issue.

Our insights into Facebook and Telegram are limited by our investigatory tools. [1] However, much of the sharing patterns we found on Facebook and Telegram mirrored what we found on Twitter, as with this example from Michigan Secretary of State candidate Kristin Karamo’s Facebook and Instagram pages.

The call to action here is a bit complex: Karamo capitalized on the incident to discredit her opponent, Secretary of State Jocelyn Benson, by claiming that inaction on the part of Benson would be wrong. But part of the call, and payoff, comes from the fact that actions to patch the flaw before the election are unlikely given the time-frame. Replies to the post capture analogous interpretations and kindred sentiments, including false allegations that leftist activists run Dominion and suggestions that states remove all voting machines from the election process.

One notable element of the spread on Facebook was the presence of links to Rumble, the significance of which is made more clear in our Telegram analysis.

Telegram spread was more robust, and moved from general machine distrust to an oversight obstruction narrative for some.

Initial spread on Telegram revolved around the same article popular on Twitter from the National Pulse, and showed much of the same pattern, with many channels choosing to simply forward author Raheem Kassam’s post with little additional comment. An example of this is from the popular Sidney Powell channel. This channel boasts over 300,000 followers. While the channel claims to be the “official channel of Sidney Powell,” it is not a verified account and we could not independently verify its ownership.

Kassam’s original Telegram post sharing the article received over 250,000 views, and highlighted elements that supported the “serious flaw” narrative, highlighting the number of states impacted, and stating the vulnerability would “not be fixed before mid term [sic] elections.”

From our limited view into Telegram, The National Pulse article link seemed to receive the highest number of overall shares on Telegram based on our sample, though articles from Emerald Robinson’s “The Right Way” Substack and the Gateway Pundit also circulated on the platform. Additionally, Spanish language translations of posts about the Halderman vulnerability spread on Telegram alongside narratives in English.

Unlike Twitter users, Telegram users appeared to engage more in sense-making of the news,   looking to determine which of multiple narratives fit the story. In the comment sections of major posts and forwards, users initially proposed two options:

• 1. Hackable results: The security flaw emphasizes the weakness of the system, the insecurity of voting machines, and the potential for malicious actors to hack/manipulate election results. According to one of the sub-narratives, Dominion Systems has strived to install its software in the election infrastructure manufactured by Election Systems & Software (ES&S). Users on Telegram substantiated their claims by using photos showing the geographical proximity of ES&S and Dominion Systems offices in Texas. 

• 2. Bought or coerced votes: This vulnerability is real, and malicious actors may exploit it to force people to vote a certain way or to buy votes.

These two initial interpretations represent elements of the “serious flaw” narrative. In a relatively short amount of time, two counter-narratives emerged, advancing a different view of the level of threat posed by the flaw. In both these narratives the severity of the flaw was seen as overblown, and the disclosure was seen as a “smokescreen” for some other malicious action:

• 3. Manufactured crisis: The disclosure represents a false flag that Democrats might use to contest the election and manufacture a crisis. 

• 4. Obstruction of citizen oversight: The security researchers represent double agents who disclosed the vulnerability to assist Democrats with concealing evidence of election fraud. In other words, Democrats could resist calls to release voting records by arguing that the vulnerability would help identify specific voters.

Of the two counter-narratives, number four (obstruction of citizen oversight) is the only one we found to have generated additional posts.  

For this narrative, we see a major post, along with a Rumble video, with a detailed argument for the counter theory, emerge at 12:47 p.m. Pacific Time, a mere three hours after Halderman’s initial post, and posted by a smaller account with approximately 20,000 followers. 

While the attached video received far less views, the post was seen by many more and served to shape the emerging narrative on Telegram, particularly among those on the platform who have been actively trying to prove the 2020 election was illegitimate through the analysis of publicly available records. 

BREAKING: Halderman Finds NEW Dominion "Privacy Flaw" Found Across 21 States!

MARK MY WORDS… They’re going to use this as a way to TRY to block us from getting the CVR’s and ballot images from 2022…

The claim here requires some explanation. For many of those mobilized around the idea that the 2020 election was stolen, certain transparency measures have taken on an outsized significance. One of those measures has been the use of posted ballot images — direct scans of ballots posted online and viewable in scan batches. A second, more recent fixation has been the “cast vote record” that is maintained by some machines. The cast vote record (or CVR) is a record of how people voted on a particular machine, and is sometimes used by professional auditors and researchers but is not generally seen as useful for others. All the same, the pursuit of Cast Vote Records through public records requests has become a celebrated cause on Telegram, with sub-communities mobilizing around requesting them and adding them to larger repositories for crowdsourced “analysis.”

This community focused on Halderman’s description of a post-election fix to “sanitize” election data before providing it to the public. That description, on the front page of the DVSOrder site reads:

Jurisdictions can continue to publish ballot-level data if they take steps to “sanitize” data from vulnerable Dominion scanners. We have created a sanitization tool to help. Public access to election data, including cast-vote records and ballot images, can be valuable for voter confidence, and DVSorder is not a reason to reduce transparency.

Further instructions by Halderman advised the deletion of a column which he deemed not useful to public analysis of voting records, “column D.” Halderman considered both of these suggestions, when applied to the cast vote record and ballot image names, as inconsequential to transparency provided by ballot images or public records. However, the CVR-focused community saw these suggested actions as attempts to obstruct oversight of the election and conceal presumed nefarious actions. They portrayed Halderman as engaged in manufacturing a false crisis to block crowdsourcing detectives who were getting too close to the truth for comfort.

Jeff O’Donnell, an election skeptic who spearheaded much of the CVR effort in the past, and who uses the alias “The Lone Racoon” on Telegram promoted this narrative as well. O’Donnell posted on his channel that “this new Halderman document is designed to cast doubt on the existing ones [CVRs] and make sure the 2022 CVRs are unusable,” and that Halderman was best seen as a “double agent.” 

Others began to put “privacy flaw” in quotes, using a common technique to imply that a particular explanation for something was fake. Joe Hoft, of the Gateway Pundit site and a prominent opinion leader outside Telegram, subsequently adopted a similar practice, framing the incident under the obstruction of oversight narrative. In a blog post and related Telegram post in which he interpreted the disclosure, he put both “voter privacy issue” and “solution” in quotes.

Analysis and Takeaways

The incident underscores how different communities — often with niche community concerns — can come to unexpected interpretations of relatively mundane announcements. In particular, it suggests that a certain type of highly mobilized activist may favor narratives that advance issues specific to their activism, even at the expense of overarching narratives with which they might otherwise agree. As we engage in prediction about the likely salient narratives of the election night and beyond, this is an important insight, since mobilized voices take an active role in generating narratives. 

We might expect, for example, narratives around perceived obstruction of oversight to take an outsized place on election night, as activists find that local laws and regulations may not permit the types of media they wish to create or the actions they wish to take. As an illustration  from the previous election, consider the “cardboard over the windows” incident from 2020, which was misportrayed as obstructing citizen oversight. As more of those engaged in sowing doubt about U.S. elections see themselves not just as propagandists but as investigators, the potential for more narratives of this sort increases. Longer term, the embrace of the larger “obstruction of oversight” narrative gives us some insight into November, where on-the-ground realities combined with the salience of this narrative in the mobilized community suggest this will be a key narrative for election day and beyond.

Furthermore, the incident highlights a difficult conundrum election communicators must face while considering whether to take actions to protect voter privacy due to the specific flaw. They may find that while one set of activists highlights these actions as an effort to address the flaw, another set of activists capitalizes on them to create conspiracy theory fodder.  Communicators on this issue, whether election officials or press, should be aware of both narratives — one emphasizing the impact to undermine faith in machines, and another seeking to minimize impact to prevent certain privacy remedies. Certain words common in the field, such as “sanitization” of records, also may take on unexpected significance in different communities which do not have a comprehensive understanding of technical details.

This incident also highlights the challenge faced by good-faith security researchers who discover vulnerabilities in election equipment with the goal of making elections more secure. The security research community has long feuded over various models of disclosure, balancing the need for end-users to protect themselves against the benefits that accrue to attackers of knowledge of a not-yet-patchable flaw. This situation shows that the analysis for election equipment is complicated by the existence of a large community of non-experts who will use any such disclosure as the basis for attacking the integrity of elections with no evidence. 

Finally, it suggests that anyone trying to understand the full range of election narratives, particularly among the individuals most mobilzed around the Big Lie, must pay more attention to Telegram, which functions both as a platform for sense-making for those individuals and as a space from which opinion leaders, not constrained to Twitter or Facebook, pull narratives that may in time reach a broader public.

Notes