Maricopa County ‘audit’ response slams claims as false and misleading

By: - October 7, 2021 3:44 pm

The Senate’s “audit” team presented its report on Sept. 24, 2021. L to R: Ben Cotton of CyFIR, Doug Logan of Cyber Ninjas, Randy Pullen. Photo by Jeremy Duda | Arizona Mirror

The findings of the so-called “audit” of the 2020 election regarding voters allegedly casting ballots from the wrong address, deleted files, improper internet connections and improperly verified early ballot envelopes are false or misleading, according to a rebuttal that Maricopa County issued.

Throughout their more than three hours of testimony in the Arizona Senate, the leaders of the election review commissioned by Senate President Karen Fann repeatedly said there may be reasonable answers to some of the purported issues they found in nearly six months of work, but that they couldn’t say for sure. 

County officials on Thursday provided what they said are the proper explanations for those alleged issues. 


The first of the two documents deals with the allegations made by audit team leader Doug Logan, the head of the firm Cyber Ninjas, and Ben Cotton, who runs the company CyFIR. The second pertains to a review of digital images of early ballot envelopes conducted by Shiva Ayyadurai, an MIT-trained engineer and prominent conspiracy theorist. All three men have promoted baseless allegations that the 2020 election was stolen from Donald Trump or participated in activities aimed at challenging or questioning the results based on those claims.

Logan told Fann and Senate Judiciary Committee Chairman Warren Petersen that 23,000 mail-in ballots were cast by voters who were shown by a commercial database to have moved from the addresses where they were registered to vote, and several thousand more early ballots were cast by people whom the database indicated had moved out of the county or even out of state. County election officials rely on voters’ affirmations of where they live until the voter, the U.S. Postal Service or the National Change of Address report tells them otherwise.

Biggs says he ‘doesn’t know’ Trump lost Arizona as Congress questions Arizona’s election ‘audit’

The county said it reviewed its records and found no instances of people illegally voting from a prior address. The report noted that voters are legally allowed to update their addresses after the voter registration deadline for the election. Furthermore, the county took issue with the use of a commercial database to make determinations on whether a voter legally cast a mail-in ballot.

“Based on our preliminary review of voters found in the Senate’s data, we cannot substantiate Cyber Ninjas’ conclusions based on the use of a third party data set. No voter should be denied their right to vote because they are not in a commercial database,” the report said.

Regarding Logan’s claim that 9,000 voters cast more than one ballot, the county said the audit team erred by counting duplicate images of early ballot envelopes that election officials make when a voters’ signature requires additional steps to verify it. And another claim that 5,300 voters cast ballots in multiple counties was based on the audit team’s failure to check voters’ full names, Social Security numbers and drivers’ license numbers, rather than make assumptions based on voters who shared the same first and last names, middle initials and birth years. 

The county rejected the audit team’s claim that there were nearly 2,600 more duplicated ballots than the county’s records showed. Duplication is a process in which election officials re-copy a voter’s choices onto a new ballot because the original is unreadable by ballot tabulation machines. County officials re-checked their records and again found 27,869 duplicated ballots, not the more than 29,000 claimed by the audit, the report said.

The report does not offer any explanation or speculation as to how Cyber Ninjas reached its figure for duplicate ballots, but alleges that outside observers raised questions about the way that overseas and military ballots were handled, and that the number of ballos that the audit team says it hand-counted differed from the number of ballots from a separate machine count that Fann ordered.

County: Files were archived, not deleted

Perhaps the most damning allegation that the audit team made was that files from the county’s election system and logs were purged or deleted. Cotton alleged that some of the deletions occurred at suspicious moments, such as just before a forensic audit that the county ordered of some ballot tabulation machines, or shortly before the county turned over its equipment to the audit team.

But the county responded that many of the files were archived during routine backups, and that the subpoenas issued by Fann and Petersen never sought the backup logs or archives. As to information allegedly deleted on the logs that automatically track all actions taken on the election equipment, the county said those logs are configured according to factory settings, which have a storage limit of 20 megabytes. The report said no logs were “intentionally deleted.” According to Fields Moseley, a spokesman for the county, the logs are automatically overwritten when they reach their storage limit, which has a six-month capacity.

Two of Cotton’s claims were misleading and omitted critical information, according to the county’s response.

Cotton said the audit found that six pieces of election equipment were connected to the internet, despite a previous audit commissioned by the county that found the machines had never had any internet connectivity. Tabulation machines and election systems are supposed to be blocked from connecting to the internet to avoid the possibility of hacking or outside interference.

In his testimony and in the audit team’s official report, Cotton did not say what all of the six machines were. Two of those machines were web servers for the Maricopa County Recorder’s Office, the county’s response said, which would naturally be connected to the internet.

“The Senate’s contractors misled the public,” the county said.

The other pieces of equipment were tabulation machines. Two of those four machines had connections to the internet in February, one of which connected to Microsoft and Bing websites, according to the audit team’s report, while the other two had numerous connections on unspecified dates. The report redacted information that would have provided more details about the alleged internet connections. 

The county said those four machines simply weren’t connected to the internet, and are air-gapped to prevent them from achieving such connections. While the machines make attempts to reach out to the internet for Microsoft software updates, those attempts fail because the equipment is air-gapped.


Another of Cotton’s claims was that the tabulation machines were vulnerable because their security and antivirus software hadn’t been upgraded since 2019. But Cotton’s analysis omitted important information, the county said: Those machines didn’t receive the security patches that Cotton cited because the U.S. Election Assistance Commission, which certifies the equipment, requires that any updates to the software be authorized by the vendor, which is Dominion Voting Systems, and thoroughly tested.

Cotton raised a similar issue in a debunked audit of the 2020 election in Antrim County, Michigan. A subsequent analysis by J. Alex Halderman,  a computer science and engineering professor at the University of Michigan who serves on Verified Voting’s advisory board, found that the lack of software updates in Antrim County was a “serious security problem,” but that such issues “are frequently an unfortunate consequence of the federal certification process.”

Early ballot envelope analysis flawed, as well

As to Ayyadurai’s analysis, the county disputed his claim that “duplicate” images of early ballot return envelopes showed that more than 17,000 voters submitted two or more ballots. The reason for the duplicate images of some envelopes is that envelopes that require additional verification are re-scanned after the signatures are confirmed, or “cured.”

“The Senate’s contractor did not understand that Maricopa County may scan an envelope multiple times as a voter ‘cures’ a signature issue or signs a blank envelope,” the county said.

Ayyadurai questioned why most envelopes didn’t have “verified and approved” stamps, which the county said is because he didn’t understand that only envelopes that are pulled by election officials for additional verification — most are verified with digital images of the envelopes — receive a stamp. The envelopes that Ayyadurai claimed were approved despite missing signatures or “scribbles” for signatures were either signed elsewhere on the ballot or had the signatures “cured” by election officials who contacted the voters.

And Ayyadurai’s claim that signature verification wasn’t as rigorous in 2020 as it was in 2016, based on an increase in the number of cured signatures, was false, the county said. That resulted largely from a 2019 state law that gives voters five days after the election to rectify their unverified signatures. The county hired 40 additional people to cure signatures from Oct. 29 to Nov. 10, the report said.

The Arizona Mirror’s analysis of Ayyadurai’s findings concluded that he did not understand policies and procedures surrounding the envelopes, which led him to falsely characterize a number of alleged issues as potentially suspicious. A rebuttal report that Ayyadurai issued on Wednesday confirmed that he is still unfamiliar with county procedures, and made no attempt to rebut the explanations that the Mirror provided for the alleged “anomalies” he found. 

The county also explained an alleged anomaly that Ayyadurai highlighted in which “verified and approved” stamps on some envelopes appeared to be behind a white triangle with a black border, which points to the signature field on the envelopes. He was unaware that on the paper envelopes, the triangles are solid black. Election officials and Runbeck Election Services, which prints and scans the envelopes, say solid-colored spaces on the envelopes are hollowed out when scanned to reduce the size of the digital files, so anything else in that space, including the stamps, disappear.

In a letter to the Senate two days after his testimony, Ayyadurai confirmed that his company, EchoMail, concluded that, “image compression replaces non-white pixels in those triangle areas with white pixels.”

Fann and Logan did not respond to requests for comment on the county’s rebuttal of the audit reports.

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Jeremy Duda
Jeremy Duda

Jeremy Duda is a Phoenix native and began his career in journalism in 2003 after graduating from the University of Arizona. Jeremy Duda previously served as the Mirror's associate Editor. Prior to joining the Arizona Mirror, he worked at the Arizona Capitol Times, where he spent eight years covering the Governor's Office and two years as editor of the Yellow Sheet Report. Before that, he wrote for the Hobbs News-Sun of Hobbs, NM, and the Daily Herald of Provo, Utah. Jeremy is also the author of the history book “If This Be Treason: the American Rogues and Rebels Who Walked the Line Between Dissent and Betrayal.”