Fact check: system logs are not auditable election records
Yes, Dominion's election computers routinely delete 'system logs'. No, this is not a violation of the law about 'election records'. No, they can't be used for audits.
Right-wing conspiracy-theory website “The Gateway Pundit” has an article about the Mesa County (Colorado) election results, citing a report claiming the election cannot be certified. I’ve debunked the technical details contained in an earlier draft of that report. But there’s a deeper underlying problem here, the claim that computer “system logs” are some sort of “election record” that can be used to “audit” an election.
This is false.
system logs are not election records under current law — not in any county, state, or federal rules
system logs cannot be used to audit an election, they can’t be used to tell if the vote count is correct
system logs are unlikely to show whether a computer has been hacked or not
In other words, not only are the technical details of the above report wrong, the premise is wrong. System logs cannot be used to audit an election, which (among other reasons) is why election records preservation laws don’t demand that they be preserved.
What is a system log?
Computers keep records of interesting events. This means that when something interesting happens, they append a line of information to a file. The computers that do this includes your phone, you laptop, your desktop, and any server you interact with. Every time you click on a web page link, both your own device and the website you are interacting with will create a log of that event.
The primary purpose of logs is that when things fail, engineers can go back in time to figure out how things failed. Diagnosing computer problems is usually done by searching system logs for clues.
A secondary purpose of logs is that they can sometimes tell you if your computer has been hacked. However, they do a really crappy job of this, since that’s not their primary purpose. Moreover, hackers are skilled at deleting such logs.
A lot of logging happens by default, your device comes with such logs enabled. A lot more logging is optional, enabled piecemeal when trying to figure out a recurring problem. When you have a computer problem that can’t easily be diagnosed, the support engineer will usually ask you to enable some more logging.
This technical blogpost explains the sort of thing one can discover with logs using the Mesa Count image. The above Gateway Pundit report is based upon that “system image”, a copy of the hard drive, that Tina Peters took back in May. By reviewing the system logs, I can see the precise time she logged in, how long it took, even the make/model of the external hard-drive she used to copy the internal hard-drive.
Are Windows logs “election records”?
No. They aren’t “election records”. They are not used in election audits. It’s just like how the IRS doesn’t look at your Windows logs when auditing your taxes.
There are federal and state laws mandating the retention of “election records”, such as 52 USC §20701. There is no precise definition of “election records”. Generally, the law is interpreted to mean things like voter registrations and actual votes — things that can be audited and recounted.
No jurisdiction anywhere considers computer “system logs” to be “election records”. No state recognizes this, no court has ruled this. Counties lists the things they must retain after an election, and no such list includes “Windows system logs”. I admit that I haven’t checked every one of the more than 3,000 counties in the United States — but I’ve found none of the election denials have cited any. System logs don’t appear appear to match the definition because they are not “requisite to voting” as the law says
The claim that Windows logs are election records under the law is some new interpretation created by Trump supporters that nobody else agrees with.
.That’s not to say their interpretation should be wrong. State legislatures or election administrators may change their interpretation of “election records”. Moreover, lawsuits brought before the court challenging this may get a ruling that in the future, “election record preservation” rules should encompass “system logs”. Thus, it can become true for future elections, system logs may become election records.
The point is simply that it’s not true currently.
Moreover, Trump supporters aren’t fighting for this in future election. There’s no movement in states controlled by the Republican Party to change election rules to declare “system logs” as “election records”. It’s purely tactic for challenging the validity of the past election. It’s perfectly reasonable to argue for rule changes in future elections, it’s just unreasonable and actively evil to pretend these were the rules for the last election, in an effort to declare that election illegitimate.
Are they useful for an “audit”?
There is confusion between the words audit and forensics here. As currently defined, the Windows system logs can be used for forensics, but not audits.
An audit means you are trying to replicate the results. An audit always has a definitive yes or no result.
Forensics is a hunt for clues. It’s usually indeterminate — you might find some anomalies you can’t explain that are worth further investigation, but they rarely find a smoking gun.
Windows logs are not part of an election audit. An election audit does things like recount the votes or verify procedures were followed. There’s no way Windows system logs can change this. Even if you do forensics on the machine and find conclusive proof that the Chinese hacked the system remotely, this still won’t affect the above audit results of recounting the votes.
The Maricopa and Mesa “audits” never tried to find something definitive with the Windows logs. Instead, they hunted for anomalies — things they couldn’t explain.
The reason they couldn’t explain the anomalies they found was due to lack of effort or lack of expertise. They don’t imply hackers, they imply bad auditors. My other blogposts explain some of the things they couldn’t, or point to things that could’ve explained the anomalies.
Logs can be used for audits, but only if you declare ahead of time precisely what needs to be logged, and what constitutes a definitive result. For example, you could declare that the system must log the identity of everyone who logs onto the computer. Any logon not in the list, or deletion of this log, could then be noted by an audit as a failure..
You cannot just retroactively declare a new audit standard for past systems and say they failed because such records are missing (as the Republicans attempt to do).
An open-ended search for clues and anomalies is not an “audit”. And that’s all the above report does. An “audit” is only when there’s a clear standard of “pass” or “fail” — an “audit” that contains a list of “maybes” is not an audit.
Would system logs have caught hackers?
Maybe, but probably not.
Mike Lindell claims to have “Absolute Proof” that Chinese hackers broken into election computers across the country, including this one in Mesa County. We have the Mesa system image with almost all the logs recorded in the 2020 election. Yet, there is no evidence in those logs of any hacking.
In truth, such evidence would likely not exist. The system logs aren’t that robust. They can’t be used to prove the system wasn’t hacked, neither are they likely to have clues if the system was hacked.
An example is that “login” logs I mentioned above. If the system were hacked, you’d (probably) see only the normal logins. Hackers don’t have their own accounts, but use the accounts of other people they’ve hijacked. We see that in the Mesa system, where somebody logged in with the “emsadmin” account to take the system image. We have no idea whether this was the person authorized to use the account or not.
As the above report mentions, the “login” system logs overflowed, deleting the entries from the 2020 election. These entries are unlikely to have told us anything, even if the system were hacked.
At best, the logs would’ve shown suggestive anomalies, pointing to other areas of investigation. But by themselves, even if it seemed pretty certain that hackers broken in, they couldn’t tell us if votes were flipped. They still would not change an “audit” of the election.
Conclusion
Trump supports keep claiming, without evidence, that the 2020 election was fraudulent. This lack of evidence creates new arguments, such as the focus on system logs.
It’s false. No audit of the election can consider normal operating-system logs. It’s not a thing. It’s just something they made up.
References
52 USC §20701 - Federal law on “Preservation and retention of voting records” for 22 months after a federal election, where such records are defined as things are “requisite to voting in such election”. This is extraordinarily vague. Maybe a court, state legislature, or county administrator will decide that this should include Windows system logs, but none have so far.
EAC guidelines - These are unofficial guidelines by the federal Election Assistance Commission. However, some states make them official either through laws or regulations. None of the documents here describe Windows logs as election records that must be retained.
Colorado Code § 1-7-802 (2022) - Colorado code on records preservation, does even less to clarify what a “record” is, but extends the length of time to 25 months instead of the federal 22 months.
Colorado Revised Statutes T§ 1-5-601.5 - Says the voting systems must meet the 2002 “Voting System Standards” published by the FEC, or the later “Voluntary Voting System Guidelines” published by the EAC.
Colorado Secretary of State Election Rule 21 Voting System Standards for Certification - The actual rules that were in force during the 2020 election in Colorado. In section 21.4.9 it says the system track some Windows logs, such as logins, application start, and hardware insertion (which it does). But the Election Rules doesn’t say they need to be preserved.
All rules in force during 2020 Colorado election - This lists all 143 pages of the rules in force during the 2020 elections. This document lists all the things needed to be preserved as “election records” under §1-7-802. Nowhere does it mention the Windows system logs as something needing to be preserved.