How a MAGA podcaster misused a cryptographer’s work to push the Big Lie

As I covered in the last piece, members of the Allied Special Operations Group constructed an elaborate theory to push their notion of 2020 election theft: votes had been changed on Dominion machines, they said, by first cycling them through a Scytl server in Germany.

One of the tricks of deception they used was to provide anonymous affidavits for the Kraken lawsuits: this way they could hide their coordination with each other in ASOG’s circle. The anonymity served another purpose. It meant they could vastly inflate biographies and make grandiose claims.

One anonymous affiant, for instance, claimed to be “military intelligence from the 305th battalion”—but was merely an IT Consultant from Dallas named Joshua Merritt, who had recently worked for ASOG. Another claimed to be a trained cryptolinguist and cryptographer, among other stellar qualifications. But only about a month after the Kraken lawsuits were filed, the Washington Post exposed her as being neither.

In fact, she was Terpsichore Maras-Lindeman, a one-time North Dakota mayoral candidate and QAnon podcaster who goes by Tore, and hosts a regular show called Tore Says.

Tore had hung around the ASOG crowd since at least 2019: in an interview with the QAnon Anonymous podcast, Joshua Merritt explains that he had met Tore around the election denialist swirl that surrounded Matt Bevin’s loss in the Kentucky Governor’s race. She is also known to be close with Patrick Byrne, and has interviewed him for her show multiple times. Pictures of her with Rudy Giuliani, Gen Flynn, Patrick Byrne, and others are easy to find on social media.

Tore’s “thesis”

Tore’s affidavit is densely written and skips from conspiracy theory to conspiracy theory with wild abandon and little connective tissue. I counted at least five theories she propounds, and each will require its own examination.

But in this article I want examine just one of those narratives: one that fits nicely into the ASOG-pushed through-line. The narrative, as we saw before, is that votes were changed on Dominion machines via Scytl’s systems.

She makes her case through a set of abstruse equations, snippets of code, and technical jargon that have clearly been lifted from other cryptographers’ scholarly work without explicitly referencing them. A simple Google search reveals her source: a paper that describes a flaw uncovered in the Swiss government’s new online voting system, Swiss Post, back in 2019.

But the words “Swiss Post” appear only once in the affidavit—in a link. The thrust of their paper is twisted and misrepresented to make it arrive at the conclusion that Tore wants to come to: that Scytl’s election night reporting systems were responsible for stealing the election from Trump.

First, some background.

Swiss Post’s flaw

In February 2019 a scandal broke out among the esoteric world of cryptographers. The Swiss government was about to release a nationwide online voting system called Swiss Post, made by Scytl. Several months before it was due for release, researchers from the Australian National University, Université Catholique de Louvain, and Open Privacy Canada discovered a major flaw that could make it vulnerable to attacks.

Prof. Vanessa Teague, a researcher in the project, has written some good explanations of the flaw they found. But it is worth summarizing here so we can understand how Tore mangled it.

Swiss Post is an online voting system. Votes that people cast on their devices are carried over the internet to be counted. This means that devices need a live connection to the internet—and that individual votes never leave a paper trail.

Despite not having a paper trail, they still have to meet these requirements: it should be a secret ballot; votes should be faithfully recorded and faithfully counted; and, the system has to be able to prove that they were faithfully counted.

In order to maintain secrecy, ballots get encrypted, then these encrypted ballots get shuffled a number of times, just like a Blackjack dealer might shuffle a deck of cards several times over.

But there’s a problem. The votes that go into a shuffle are encrypted. The votes that come out are encrypted, and also shuffled. How can one be sure that what came out faithfully represented what went in? What if the shuffler—the Blackjack dealer, in my analogy—replaced a few cards?

Well, this is where the esoteric cryptography comes in. Each shuffle has to mathematically prove that each vote that went into the shuffle is faithfully present in the set that comes out. And this has to be done with “zero knowledge”: neither any single shuffler, nor the auditors of the system, actually know the content of the ballots.

There is, however, the possibility that if one knows a secret key—a trapdoor—one can “peek” into a shuffle and manipulate the votes. This is why it is very important for the trapdoor to be, not just secret, but unknowable.

However, the programmers of this system made a crucial mistake: their trapdoor was known by the Swiss Post code itself. Armed with the knowledge of the trapdoor, a malicious actor could secretly manipulate votes during the shuffle while still “proving” that all was well.

The researchers also found a second flaw: the encryption method they had used made it vulnerable during the decryption phase as well. Quoting from Prof. Teague’s presentation, an attacker could use this vulnerability to “turn a valid vote into nonsense”.

These were devastating discoveries. The researchers did not claim that any such theft had actually occurred, just that it could. But the risk was enough that the Swiss government had to shelve their plans for the time being.

Online voting in the US

Online voting systems like Swiss Post have special vulnerabilities that other systems don’t necessarily share. They have to be connected to the internet, and do not leave a paper trail. The constant live connection is an attack surface. Since there is no paper trail, developers have to resort to cryptographic methods to prove the validity of the votes, as we saw above—whereas if one had a paper record of the vote, that is hard proof in itself.

They also need to take special pains to obfuscate the source of the votes to maintain the secrecy of the ballot. However, if there is a paper record, it is already obfuscated, because they are designed to not contain any identifying information.

This is why balloting experts unanimously advise against online voting. Quoting from a 2018 report from AAAS:

The use of online or Internet voting, which includes email, fax,
web-based voting and mobile apps, remains fundamentally
insecure. The lack of a meaningful voter-verified paper record
means there is no way to conduct a valid audit of election results
or to reliably detect errors or manipulation.

In fact, one of the success stories about the 2020 election was that the US generally eschewed online voting, and several states moved towards having paper records of ballots. Of the five “Kraken” states, Arizona, Georgia, Michigan, Wisconsin, and Pennsylvania, all had paper trails, as seen in the Verified Voting interactive website. Only Arizona permitted a form of internet balloting for a small set of voters: uniformed personnel stationed abroad. However, Arizona’s system is quite different from Swiss Post: it provides a secure electronic portal over which overseas personnel can return filled in ballots.

The upshot is that Swiss Post’s flaws had very little relevance to the 2020 US elections, except as a warning against adopting online voting in any of our elections.

Tore’s first mistake

Naturally, this is not how Tore sees it. As we saw in my last article, an entirely different Scytl product: Clarity, an election night reporting system, is widely used in the US.

Such systems do not need to encrypt and shuffle ballots because they do not receive individual ballots, just tallies, which means information about individual voters is already obfuscated. Nor is there any need for secrecy, as this data is meant for public reporting.

So flaws in Swiss Post do not imply flaws in Clarity election night reporting, even though both are Scytl products. It would be like claiming a bug in a Tesla self-driving car implies the same bug exists in a Tesla online car dealership. It is pure guilt by association.

But Tore proceeds as though the Swiss Post flaw found by the researchers is highly applicable to the 2020 election due to the use of Scytl’s election night reporting system. Watch how she makes leaps in logic.

First, she points out correctly that Scytl’s Clarity election night reporting system feeds news sites like AP.

However, the “on behalf of Dominion” construction is problematic. It implies that Dominion is the prime beneficiary of vote tallies. This is incorrect—election night reporting is a one-way street, and is not expected to feed totals back into Dominion (or other) machines.

Then, she quotes a decade-old report about Scytl being given the contract for a voting solution for overseas voters during 2010…but conveniently leaves out the last line, which is that this was a ballot delivery and ballot marking solution. In other words, not online voting like Swiss Post.

Here is the last line she leaves out: “The solution offered by Scytl will allow overseas voters to receive their ballots in a timely manner, and optionally, to use an onscreen wizard to make ballot selections”.

Besides, that report was about the 2010 election cycle, not 2020. The Kraken crowd have made a lot of outlandish claims, but thus far time travel was not among them.

Finally, she makes the leap in logic. She draws in concepts from Swiss Post’s cryptographic design—shuffling, and trapdoors, etc., that as we have seen, do not apply to election night reporting systems like Clarity. With the phrase: “ALL SCYTL” she claims that all Scytl products suffered from Swiss Post’s flaws, regardless of what product it was. The link below leads to Prof. Teague’s paper that analyzed the Swiss Post flaw; irrelevant for Clarity.

Her entire thesis rests on this leap of logic. The rest of the affidavit proceeds as though votes went from Dominion machines into the Swiss Post system and went through encryption, shuffling, and decryption. She calls it “Scytl” in order to conflate with Clarity’s election night reporting:

In the block diagram above, the encryption/decryption/trapdoor are concepts that apply to online voting, while the last block, “votes tallied reported by Scytl” apply to election night reporting. To emphasize once again, if a state is using Dominion machines, it is not using online voting in the style of Swiss Post. Dominion machines certainly did not feed votes into Swiss Post.

Tore’s second mistake

We are not done. Tore’s Scytl theory continues to go off the rails. First, as we saw above, she conflates Swiss Post with Clarity, because they are both Scytl products; next, she pretends that a flaw in the code was an intentional design choice for the purpose of stealing votes.

Let’s see how see does this. The word “nefarious” is our first clue.

To be clear, the paper that Tore liberally lifts from describes a flaw; there is nothing fundamentally wrong with the cryptographic methods used. They were just used incorrectly by Swiss Post developers in a way that made that system vulnerable to a malicious actor. Quoting Prof. Teague:

The Scytl-Swisspost mixnet uses a provable shuffle due to Bayer and Groth [BG12]. We describe here an important implementation detail that allows the forging of apparently verifying Bayer-Groth proofs. It is not a fault in the B-G proof mechanism, but rather in this specific implementation of it

Teague et al (2019)

But once Tore has incorrectly placed Scytl’s online voting code into the context of the US 2020 elections, she frames it as a matter of intentional design that Dominion and Scytl collude over sharing the secret tradoor, and secretly change votes:

Thus, Tore first generalizes problem, going from a mistake in one piece of code to a problem with the algorithm itself, and ends up exactly 180 from the truth: any system that encrypts and shuffles votes, she claims, can never be relied on. “ZERO integrity of the votes when mixed,” she says.

This is exactly the opposite of the truth. Encryption and shuffling are essential for maintaining anonymity of votes. She completely disregards the need for a secret ballot.

Show me the paper

When someone puts out something this egregiously wrong, one has to wonder if it was a misunderstanding or simply lies. Perhaps Tore was just sincerely confused about two distinct Scytl products being the same as each other?

I cannot say with certainty one way or another. But I can speculate: Tore’s elaborate attempts to stitch a plausible narrative together, from what must have been some obsessive googling, look very much like lies to me. Not just based on the factoids she cherry-picks in, but also from those that she chooses to omit.

It’s even clearer when you look at her blog post from 2019, written in the wake of Matt Bevin’s loss to Democrat Andy Beshear in the Kentucky governor’s race. This was the first time, that I am aware, that she used Prof. Teague’s findings about the Swiss Post flaw in order to craft a narrative of election theft. The paper came out in March 2019, her post in November 2019. Later, big chunks of her blog post appeared in her Kraken affidavit.

Like many states during the 2020 elections, Kentucky’s 2018/9 cycle used Scytl’s Clarity product for election night reporting. Verified Voting shows that Kentucky used a mix of hand-marked paper ballots and direct-recording machines—neither maintain an online connection while voting. While each type of machine has its own vulnerabilities, they are not the same as the flaws in an online voting system like Swiss Post.

And yet, Tore claims that she had discovered these flaws before the researchers did—by examining Kentucky’s infrastructure!

“I am going to take the leap and say I determined the issue,” she says, adding:

When the issue I found was brought to the attention of the Swiss Federal Chancellery, they ceased e-voting operations and demanded that “Swissport” [sic] (the Swiss version of KY’s Harp Enterprises) was suspended until they remedied the issue.

That is a clear lie. There is no way she could have independently found the same flaw in Harp Enterprises—Swiss Post was not merely a “Swiss version” of Harp machines.

Nevertheless, by 2020, she seems to have been aware of the need to implicate Scytl into the chain of balloting in a deeper way. It is telling that she inserted a decade-old news blurb about Scytl’s DoD contract into her affidavit—and omitted the line that showed it wasn’t for online voting (either way, this was largely irrelevant in 2020).

Interestingly, someone entered that news blurb about Scytl’s Dod contract into an open source watchdog website last year, and also omitted the same line. I wonder if that someone could be Tore seeding a blurb she could rely on later.

Lastly, upon reading the blog post from 2019, it is clear that Tore understands how important paper ballots are to ensuring the validity of votes. However, not once in her affidavit does she mention that all Kraken states had paper ballots of one form or another. In fact, those paper ballots were relied on during post-election audits in Arizona and in Georgia; both audits confirmed the result.

Paper ballot records are exactly what makes voting systems that use them more secure than an online voting system like Swiss Post. It is clear from her blog post that Tore understands this. However, in her affidavit, no mention of paper trails can be found. It is the dog that never barks.

Many thanks to Prof. Vanessa Teague for her help in navigating these concepts. Any errors that remain are mine alone.

💌 Become a subscriber: Odd Post newsletter

➕ Follow me on Twitter: @TheOddPost

👉 Follow me on Facebook: The Odd Post

🌈 Get in touch: Email

Print Friendly, PDF & Email