As we reported on October 4, Eugene Yu, a Chinese immigrant and CEO of Konnech, an election software company, was arrested “as part of an investigation into the possible theft of personal identifying information of [Los Angeles County election] workers,” which officials believed “was stored on servers in the People’s Republic of China.”
The other shocking part of the story was that LA County District Attorney George Gascon, who’s not known as being tough on crime, announced the arrest and extradition and that investigators from his office had been working on the case.
One of Konnech’s software offerings is a program called PollChief, which schedules election workers and assists elections officials with supply and logistics procedures. In 2019 LA County entered into a contract with Konnech, and a sole-source contract worth more than $2 million was finalized in 2020. As part of the contract, Konnech was to abide by state and federal law, and to various information security procedures, which an LA County District Attorney’s office investigator described in a complaint supporting the request for a warrant for Yu’s arrest:
- “[C]ontractor shall screen and conduct background checks on all Contractor personnel contacting County’s Confidential Information, including Personally Identifiable Information, for potential security risks and require all employees and contractors to sign an appropriate written confidentiality non-disclosure agreement.
- Personally Identifiable Information, and County’s Confidential Information: (i) may only be made available and accessible to those parties explicitly authorized under the Contract or otherwise expressly approved by County in writing.
- Only Contractor’s staff who are based in the United States and are citizens or lawful permanent residents of the United States shall have access to any County data, including personally identifiable information, hosted in County’s instance of the System Software.
This complaint, which is dated October 13, 2022, contains additional information about what investigators have found – information that does not lead to any type of confidence in the security of our election information.
Despite Eugene Yu’s insistence in a verified court pleading that “all of Konnech’s U.S. customer data is secured and stored exclusively on protected computers located within the United States,” the Los Angeles County DA’s office found that:
“On or about October 10, 2019, through October 4, 2022, Eugene Yu and other employees at Konnech, Inc. were providing these services to Los Angeles County using third-party contractors based in China.
“…Konnech employees known and unknown sent personal identifying information of Los Angeles County election workers to third-party software developers who assisted with creating and fixing Konnech’s internal ‘PollChief’ software.”
So, the personal identifying information of US election workers was intentionally sent not just out of the country, but to China. And to third-party contractors, which is potentially in complete violation of the state’s anti-independent contracting AB5 law.
And, just as many have suspected, Chinese “contractors” (code for CCP operatives; don’t kid yourself) have had full access to not just the personal identifying information of Los Angeles County election workers (emphasis mine):
“On or about August 18, 2022, Luis Nabergoi, project manager for Konnech’s contract with the County of Los Angeles, confirmed via the messaging app DingTalk that any employee for Chinese contractors working on PollChief software had ‘superadministration’ privileges for all PollChief clients. Mr. Nabergoi described the situation as a ‘huge security issue.'”
It’s more than just a “huge security issue.” Even if nothing nefarious has been done with that access, a possibility which requires the suspension of disbelief, this revelation validates every concern that has been expressed in the security of our elections since, well, long before 2020. But we know it was happening through August, 2022, at a minimum. And while the City of Minneapolis initially defended its contract with Konnech, saying there was no information that the personal identifying information of their poll workers was compromised, officials might want to revisit that statement in light of the above.
In addition, one function PollChief software provides is management of “election workers and votinglocations (including Vote Centers, drop boxes and check-in centers),” meaning that election officials can use the software to assign employees to retrieve ballots from drop boxes and deliver them to the elections office, and uses GPS and location data from the app on the employee’s phone to determine which employee is located closest to the drop box and continues to track their location for chain-of-custody purposes. However, as some have pointed out, it’s certainly possible that this app could be repurposed for ballot harvesting and delivery purposes.
Coincidentally, on the same day the search warrant was executed and Yu arrested, Mr. Nabergoi sent an email to Konnech employees informing them of a slight change in procedure:
On or about October 4, 2022, Luis Nabergoi, project manager for Konnech’s contract with the County of Los Angeles, sent an internal email to Konnech employees stating that the company was “moving to a new stage in the company maturity and we need to ensure the security privacy and confidentiality or [sic] our client data…” Nabergoi further stated that to accomplish this, personal identifying information would no longer be included in the fixing of Konnech’s PollChief software.
What’s being “fixed”? Why was any information being sent to China in the first place? Why is George Gascon’s office investigating? And, why aren’t federal agencies involved in this? It’s not just Los Angeles County involved; Konnech’s PollChief software is used around the country.
Fortunately, numerous jurisdictions have terminated their contracts with Konnech and PollChief, but dealing with this type of data breach should not be left to the discretion of individual jurisdictions. This software should be purged from any official or unofficial usage within the United States immediately.