Authors: Manana Ghoghoberidze, Eto Midelashvili, and Natia Mikhelidze
Two weeks before the elections, representatives of an American auditing company visited Georgia. At the request of the Central Election Commission (CEC), they inspected the equipment and materials to be used in the elections, reviewed and analyzed the voting machines’ codes, and even observed the election process itself. However, the process was entirely closed off, involving only representatives of the CEC—no observer organizations or members of opposition parties were present.
On October 27, as observers discussed violations and allegations of fraud during the elections, the chairman of the CEC, Giorgi Kalandarishvili, held a briefing. To assert that the elections were conducted successfully and that the technology performed well, Kalandarishvili referred to the findings of this American auditing company.
The auditing company endorsed by the CEC is PRO V&V, which conducted a three-phase audit of the parliamentary elections. The first phase involved testing tablets, verification devices, and vote-counting machines, including their software codes. The second phase focused on configuration, such as servers and voter lists. Finally, the election day itself was evaluated.
A review of the documents has revealed several factors that cast doubt on the reliability of the audit:
- PRO V&V has had a long-standing collaboration with the voting machine supplier, Smartmatic, evaluating elections conducted with their technology and equipment.
- The company was selected by the CEC unilaterally and through a non-transparent process.
- The auditor only addressed questions posed by officials from the ruling Georgian Dream party within the CEC.
- PRO V&V tested only 12 devices each from the categories of tablets, verification machines, and vote counters.
- On election day, the company’s representatives observed voting only at polling stations pre-selected by the CEC in Tbilisi, Gori, and Telavi.
- Opposition representatives, NGOs, or members of the civil sector were not present during the audit process.
How Was PRO V&V Selected?
The Central Election Commission (CEC) first announced its collaboration with the American auditing company PRO V&V a year ago, following midterm elections. CEC Chairman Giorgi Kalandarishvili at the time emphasized the importance of transparency, claiming, “As a responsible institution, we are committed to ensuring that the process is as transparent and public as possible.” However, the level of openness became questionable during the same session, as revealed by Kalandarishvili’s response to opposition members of the CEC.
“The audit is crucial; we’ve been advocating for it for a long time,” protested Anna Kobakhidze, a representative of the Strategia Aghmashenebeli party. “But my colleagues and I only just learned about this initiative.” Kalandarishvili responded: “Whether you learned about it earlier or later, I fail to see how it would make any difference to you… The financial department handles this, and I’m providing this information now. I neither requested nor expected your involvement in this or anything else.”
In an interview, Kobakhidze recounted that the selection process for PRO V&V for the 2024 parliamentary elections was as closed as it had been for the 2023 by-elections. “We received an email stating that the financial department had begun selecting companies. We wrote back, asking for a meeting or additional information, but the communication ended there. Later, we learned that PRO V&V had been chosen.”
On September 27, 2024, the CEC signed a 555,000 GEL contract with PRO V&V for auditing services.
“We had previously raised the issue of conducting an audit,” said Beka Liluashvili, a member of the For Georgia party. “Suddenly, we learned that an auditing company had been selected. We had no idea how it was chosen, whether there were consultations, or what the process entailed. We didn’t even know the scope of the audit. These technologies are highly complex, and society needs more information.”
In addition to criticizing the lack of transparency, opposition parties and civil society groups distrust the audit because the list of issues to be examined by the company was exclusively prepared by representatives of the ruling Georgian Dream party within CEC.
“For example, questions were like, and I’m paraphrasing here, ‘When plugged in, will the device’s red light turn on? Does it comply with international regulations? Is the confidentiality of the vote protected?’ We’ve seen how that was handled,” remarked Vano Burduli, a former election official and current member of the United National Movement.
“No one deliberately asked the auditor whether the devices were susceptible to manipulation,” Burduli added. “Concerns about unreliable companies were raised, but the CEC didn’t care. It’s a closed circle; they decide, and that’s the end of it. As a result, challenges yielded no significant outcomes.”
Akaki Khuskivadze, an experienced election observer since 1995 and chairman of the Association for Public Initiatives, shared similar concerns. “The process is controlled entirely by them, with no room for external influence or oversight.”
Civil Society Concerns
Irma Pavliashvili, head of Open Space Caucasus and a veteran election observer with 15 years of experience, emphasized that the election administration failed to adhere to core principles such as transparency, accountability, and stakeholder inclusion.
“These principles were disregarded in the selection of the auditing firm. All stakeholders involved in the electoral process, including observer organizations and political entities, should have been included,” Pavliashvili said.
When asked why other interested parties were not involved in drafting the audit’s scope, CEC spokesperson Natia Ioseliani responded, “Who, in your opinion, should have prepared the questions?” She maintained that all processes, including the auditor’s selection, were public.
“Nothing was hidden. Any party-appointed commission member or parliamentary commission member has the opportunity to be involved in the process. Don’t imagine that someone is withholding information from them,” Ioseliani claimed.
However, Giorgi Moniava, a legal expert with ISFED, disputed this claim. According to him, their organization requested involvement in the audit process but was ignored.
“A few days before the elections, we asked the CEC to allow observer organizations to participate in the audit process. We also informed them of the specific questions we had. However, our request and questions went unanswered. The process was not open to observer organizations, and no representatives were involved. We didn’t see or know what they were observing. We also wanted to participate in the initial coding and encryption stages but were denied for ‘security reasons,’” Moniava stated.
Moniava provided a letter his organization sent to the CEC, dated October 23, which reads:
“To enhance the transparency of the electoral process and increase public trust, we request that local and international observer organizations be allowed to participate in the audit process, including the determination of its scope.”
Who Is the American Auditing Company PRO V&V?
PRO V&V was established in 2011 and is registered in Huntsville, Alabama. Its founder and director, Ryan Jackson Cobb, visited Georgia on October 26. The company’s official website is non-functional—while basic information is accessible on the homepage, attempting to navigate to sections like services or contacts causes the website to crash.
PRO V&V has evaluated elections conducted with Smartmatic technology, including elections in the Philippines. In 2023, the company also performed laboratory testing on one of Smartmatic’s devices [a router unit].
Last fall, during a CEC session, Giorgi Kalandarishvili first disclosed the identity of the auditing company. Opposition commission member Anna Kobakhidze inquired whether PRO V&V had worked with Smartmatic in the past. CEC representatives acknowledged that their chosen auditor had previously collaborated with Smartmatic in elections across various countries.
“Yes, they have conducted evaluations in the Philippines on these exact devices, although our devices are more advanced,” said Giorgi Javakhishvili, Secretary of the CEC.
“This company is essentially Smartmatic’s ‘tail,’ traveling globally under the guise of conducting audits,” said an anonymous source with over 20 years of experience observing elections and in-depth knowledge of electoral administration. “Opposition members of the CEC were completely excluded from the selection process for this audit.”
What and How Did the American Company Audit?
In the first phase, PRO V&V checked the software codes of Smartmatic used for the 2024 elections and compared them to the codes from the 2023 special elections. Simply put, the company was verifying how the devices functioned, what data (such as lists) were stored in them, whether they were duplicated across different polling stations, and so on.
The purpose of the comparison was to determine whether any changes had been made to the devices that could violate the law or cause distrust.
When the auditor checked the function of loading lists into the verification device, it concluded:
“If a voter has already been checked in or shows up at the wrong location the VIU sounds an alarm,” writes PRO V&V.
It is interesting on what basis the auditor concluded that the devices would recognize if one voter tried to vote at different polling stations, especially given that the devices did not have internet access and were not synchronized with other stations. Civil society and the opposition were already skeptical about this before the elections, believing that isolating polling stations increased the risk of “carousel voting.”
“The CEC repeatedly confirmed to us that the complete, unified voter list is loaded into all devices. This has been confirmed both in writing and orally. The full voter list is stored in every verification device, and then the list for the specific station where the device is located is activated. Theoretically, it is possible to activate the same individual or group of individuals in different polling station devices. Since the devices are synchronized locally, within one polling station, and do not communicate with devices at other stations, these individuals could go to different polling stations and vote without the device emitting any signal. We observed specific violations and people openly admitting to voting at two different polling stations,” says ISFED’s lawyer, Giorgi Moniava.
Our respondents told us that the CEC preferred the devices to work offline to avoid the risk of cyberattacks. This argument is also controversial because, as it turns out, cybersecurity could have been ensured if desired. CEC commission members had tablets at polling stations connected to a closed internet network (APN, VPN), through which voter activity and results were sent to the CEC.
“The tablet’s connection to the CEC servers is secure; it is impossible to send data packets to servers other than the CEC’s,” the audit report states.
However, in an interview with us, IoT Laboratory founder Konstantin Stalinski also questioned this conclusion. According to him, if it is possible to send a file to one location, it can also be sent to another.
Additionally, it is unclear what practices were used to write the initial codes for the tablets.
“The audit report states that the initial code was written following the best coding practices and established guidelines. However, neither the source guidelines nor the specific practices are mentioned. It is unclear what practices were referred to or what technology was used. This information should have been public and included in the audit,” says Stalinski.
Software engineer Giorgi Lubaretzi believes the audit report’s information on system security is vague and incomplete.
“The information on each attack vector should have been much more detailed. There should have been explanations of how the system’s security was analyzed and information on the identified problems and whether they were resolved.”
According to Lubaretzi, another issue is that PRO V&V did not check the “hash” (a unique fingerprint) printed by the devices during the October 26 elections.
“A hash is a function that transforms any data (text, file, etc.) into a fixed sequence of characters. Similar characters appeared on the final receipt printed by the verification device.”
As Lubaretzi explains, for example, the unique fingerprint, or “hash,” of the text “Giorgi” is c1475a06, while “Giorgi Giorgadze” is a32b0606. No matter which device or how many times the data is processed, its hash will always remain the same. According to him, it is unclear to us now which software was examined by the auditor, as the hashes they evaluated do not match the hashes from the devices used on October 26.
“If I, as a voter, do not have the ability to compare whether the code loaded onto the device is the same as the one audited, how does the audit help me? The ‘hash’ that the device prints on the receipt is the complete system hash, while the audit refers to the hashes of individual components. The full system code is not visible anywhere. For example, in my house, the hash of the table might be ‘11111,’ the door ‘2222,’ and so on, while the hash for the whole house would be ‘7777.’ In this example, the devices displayed the hash of the entire house, while the audit covered only the table and the door.”
ISFED also has doubts regarding the codes. “The audit report does not specify the methodology used to select the devices for inspection. However reliable the methodology might have been, the devices were inspected approximately two weeks before the elections, which is more than enough time for the functionality and initial codes to be altered, allowing the devices to operate differently on election day. We want to know what was happening in the devices on election day, what functionalities were active, and what initial code they operated with. The audit does not answer this question, leaving other major concerns unresolved. The devices should not have been removed from the District Election Commission’s storage; instead, they should have been taken directly from the polling stations after the election for auditing,” says Giorgi Moniava, ISFED’s legal expert.
The second phase of PRO V&V’s audit is dated October 23, 2024. Between October 12 and 19, the company tested 12 verification devices (VIU Desktop 818-100), 12 vote-counting machines (PCOS SAES-1800Plus), and 12 tablet computers (Lenovo Tab K11).
The purpose of the second phase was for PRO V&V to compare the data loaded onto the CEC servers with the data in the verification devices, as well as to verify the accuracy and validity of candidate lists. However, the audit report does not reveal what the auditor found regarding the verification of the lists, how the process was conducted, or whether there was compliance. Neither is this information reflected in PRO V&V’s recommendations. Instead, it contains a positive but general evaluation that all the inspected devices had the necessary consumables, and none of them contained components unnecessary for their functionality.
The audit process was supervised by the CEC’s technical representatives, but it is unknown who they were. The CEC does not disclose their identities. It is only confirmed that the opposition was not involved in this technical supervision.
“We repeatedly asked the CEC, both publicly and in writing before the elections, to disclose the identities of the technical staff working directly with the equipment. However, we were told that this was personal information, and it was not provided to us,” said David Kirtadze, the United National Movement representative within the CEC.
The third phase of the audit evaluated election day itself. PRO V&V checked how accurately the elections were conducted using electronic technologies and how accurate the lists were. The conclusions do not mention anything about vote secrecy, carousel voting, or other well-known and widespread violations.
They observed the election day with only three groups, comprising a total of six individuals. They visited polling stations only in the districts of Tbilisi, Telavi, and Gori and observed the behavior of 168 voters. The observation areas were determined by the CEC itself.
PRO V&V did not visit districts where Georgian Dream’s votes increased unnaturally and received unprecedented support of over 70%, such as Marneuli, where ballots were reportedly stuffed manually.
Irma Pavliashvili, the chair of Open Space Caucasus, believes the audit conclusions are general, and the checklist for observing election day was limited.
“There should have been more and more detailed questions. At the very least, one polling station should have been observed throughout the entire day. I did not find any violations of election day in the audit. If I had not been directly involved in the process, reading the audit report would not have allowed me to imagine the violations and fraud schemes that took place on October 26, which raised questions about the credibility of the election results and sparked public anger and protests. According to the audit, the voting process was conducted in a very calm environment, and the system had no flaws. However, the reality is that the elections were conducted against a backdrop of violations. The conclusions are neutral and do not mention any violations or signs of misconduct, which raises questions about their reliability.”
The only entities without critical questions about the election process, the audit, or the auditing company are the CEC and Georgian Dream.
After the elections, we managed to conduct an interview with the CEC’s public relations department while preparing materials about the verification devices’ functionality. However, when we raised additional questions regarding the audit process, the CEC refused further communication, suggesting instead that we request public information in writing.
We have not pursued this practice further, as all information that can be obtained in this format has already been requested. The remaining questions require answers that only interviews can provide. Additionally, public officials often delay or avoid responding to critical questions when addressing them in writing.
