Election Systems and Software (ES&S) InkaVote

InkaVoteOriginally developed by Unisyn Voting Solutions and now distributed by Election Systems and Software, the InkaVote and InkaVote Plus system consists of the InkaVote Precinct Ballot Counter (PBC) and Unisyn Election Management System (EMS). The PBC is based on a standalone lottery ticket machine design developed by the International Lottery & Totalizator Systems, Inc. (ILTS). The InkaVote ballot is a mark sense ballot based on the design of a Hollerith (IBM) punch card. Ballot identification data is pre-punched in the leading columns. The InkaVote system is used in Los Angeles County, CA and Jackson County, MO.

The InkaVote voting system has been used in Los Angeles County since 2003. InkaVote replaced the former Votomatic punch card voting system, used since 1968, following the decertification in 2002 of all voting systems in California based on pre-scored punch card voting technology. InkaVote employs a voting method similar to Votomatic but replaces prescored punch cards with optical scan ballots printed on the same sized 312 format ballot card. The InkaVote is patterned after the Votomatic device and is used for holding the ballot card and vote recorder pages. However, the diameter of each voting position hole in the plastic template has been widened to ¼ inch in order to accommodate the use of an ink marking device for marking voting choices. The 312 vote position ballot card is virtually identical except the vote positions are not pre-scored for punching out, but are instead pre-printed circles with 312 voting positions for recording votes in ink. The ballots used for absentee voters by mail have larger target circles than the ballots used at the polls in the vote recorder.

Los Angeles County’s previously certified Microcomputer Tally System (MTS) version 1.3.1 with the front end Election Tally System (ETS) and Automated Ballot Layout (ABL) system will continue to be used for election data collection, vote tabulation and related functions. The L.R. Computer Company card readers, 36 of which are used in Los Angeles County, were previously certified by the Secretary of State with a modified read head for reading optical scan marks. The electronic image sent from the card readers is identical to punch card electronic images; therefore, the tally interface routines do not change. Since the vote image data is the same, the MTS tally, reports and logic do not change.1

InkaVote PlusThe InkaVote Plus PBC unit (left) may be equipped with an optional component called the Audio Ballot unit, which provides support to assist visually blind as well as other voters who need an audio ballot. The Audio Ballot unit consists of a keypad, earphones and printer, and does not include a visual display for the voter of the ballot. This unit uses an audio ballot script, which guides the voter through voting and prints a marked InkaVote ballot. The voter may then insert the marked ballot into the PBC unit, which checks for overvotes and blank ballots.

The InkaVote employs a voting method similar to Votomatic punch card voting system but replaces prescored punch cards with optical scan ballots printed on the same sized 312 format ballot card. The InkaVote voting device (unit) is patterned after the Votomatic device and is used for holding the ballot card and vote recorder pages. However, the diameter of each voting position hole in the plastic template has been widened to ¼ inch in order to accommodate the use of an ink marking device for marking voting choices. The 312 vote position ballot card is virtually identical except the vote positions are not pre-scored for punching out, but are instead pre-printed circles with 312 voting positions for recording votes in ink. The ballots used for absentee voters by mail have larger target circles than the ballots used at the polls in the vote recorder.

Voting Process: The voter enters the polling place and receives a ballot, which is then secured to the Inkavote machine with a series of clips. To vote, the card is placed in a marking device, which has a ballot voting booklet and template guide showing the location to mark a vote for each candidate in each contest. A special marking pen is used to mark the voter’s choices. Voters who mark their ballots manually or with the ballot booklet template may also use the PBC unit to check the ballots for overvotes and blank ballots. If an overvoted or blank ballot is detected, the system returns the ballot to the voter, giving the voter an opportunity to remake the ballot. Although the PBC unit is capable of tallying the ballots and producing a machine report of the results when the polls close, some jurisdictions, including the City and County of Los Angeles only use the system for the audio ballot and error checking functions, without using the ballot tally and reporting functions.

A demonstration video from Jackson County MO:

 A Pollworker Instruction Video

Security Concerns:

In the area of cryptography and key management, multiple potential and actual vulnerabilities were identified in the InkaVotePlus, including inappropriate use of symmetric cryptography for authenticity checking, use of a very weak homebrewed cipher for the master key algorithm, and key generation with artificially low entropy which facilitates brute force attacks. In addition, the code and comments indicated that a hash (checksum) method that is suitable only for detecting accidental corruption is used inappropriately with the claimed intent of detecting malicious tampering. 106 instances were identified of SQL statements embedded in the code with no evidence of sanitation of the data before it is added to the SQL statement. It is considered a bad practice to build the SQL statements at runtime; the preferred method is to use predefined SQL statements using bound variables.2

In the physical security testing, the wire and tamper proof paper seals were easily removed without damage to the seals using simple household chemicals and tools and could be replaced without detection. The tamper proof paper seals were designed to show evidence of removal and did so if simply peeled off but simple household solvents could be used to remove the seal unharmed to be replaced later with no evidence that it had been removed. Once the seals are bypassed, simple tools or easy modifications to simple tools could be used to access the computer and its components. The key lock for the Transfer Device was unlocked using a common office item without the special ‘key’ and the seal removed. The USB port may then be used to attach a USB memory device which can be used in as part of other attacks to gain control of the system. The keyboard connector for the Audio Ballot unit was used to attach a standard keyboard which was then used to get access to the operating system without reopening the computer. The seal used to secure the PBC head to the ballot box provided some protection but the InkaVote Plus Manual provides instructions for installing the seal that, if followed, will allow the seal to be opened without breaking it. However, even if the seals are attached correctly, there was enough play and movement in the housing that it was possible to lift the PBC head unit out of the way and insert or remove ballots (removal was more difficult but possible).3

  1. California InkaVote Use Procedures, 2010, p. 3
  2. InkaVote Plus Source Code Review, California Secretary of State’s Top-to-Bottom Review (2007)
  3. InkaVote Plus Red Team Security Penetration Test, California Secretary of State’s Top-to-Bottom Review (2007)