The Hart Intercivic eScan is a precinct-based, digital ballot scanning system. After marking a paper ballot, the voter feeds it directly into the eScan at the precinct. The ballot image is stored as a Cast Vote Record (CVR) on a flash memory card that can be retrieved and tabulated when the polls close. eScan’s capabilities include functionality to reject overvoted, undervoted and blank ballots, thereby providing second-chance voting at the precinct.
The eScan is a dedicated proprietary piece of hardware, with a built-in automatic feed scanner, a thermal line printer, local flash memory, and two secure compartments for ballot storage. The eScan is intended to be used only with ballots printed in advance on paper of a specified weight and dimension. Voters or pollworkers feed the ballots into the eScan one at a time. The eScan scans the ballots, creates a CVR from the ballot (including images of any written-in candidates), and stores the paper ballot in one of the two ballot storage bins (a scanner bin and a bin for use in emergencies that has an access slot). The CVR is written to a Mobile Ballot Box (MBB).
The two ballot storage bins are each sealed with a Hart security seal at election headquarters, and the emergency ballot slot is opened to allow depositing of paper ballots during emergencies (such as power failures) without disturbing the security seal on the ballot bin door. Jurisdictions can choose to seal the MBB into its compartment before delivery of the equipment to the polling place; alternatively, they can deliver MBBs to polling places on election day morning and seal them then. EScan options are defined in a Ballot Origination Software System (BOSS) when the election is defined. The eScan unit itself maintains audit logs that include system startup and shutdown information, CVRs written and other events like ballot rejection overrides. The eScan units are configured by SERVO, which resets the time, public counter, CVRs, signing key, and audit log. SERVO also optionally resets MBBs in the eScan to clear the CVRs and audit logs. SERVO can also back up CVRs and audit logs from the eScan, and create a Recovery MBB from those records.
The Hart InterCivic eScan A/T voting device is equipped with an audio tactile interface (ATI) that enables a voter with disabilities to listen to instructions for using the ATI controllers and an audio version of the ballot, to make selections for each race or question on the ballot, to review all selections and make changes if necessary, and finally to cast the ballot privately and independently. The voter’s ballot selections are recorded electronically in the device’s memory and included in the results for the precinct. No record exists to tie an individual voter to a specific ATI ballot. Voters who use “sip and puff” or tactile input switches may plug their own assistive devices into the ATI controller and use them to operate it. While a voter is using the ATI device, other voters may continue voting and may insert their paper ballots into the eScan A/T at any time. The eScan A/T will be used statewide in Oklahoma in 2012.
1. Receive your ballot from a poll worker and proceed to your voting booth.
2. Using a blue or black pen fill in the box to the left of your choice completely as shown on the right. To vote for a write-in candidate, fill in the box completely next to the words “Write-In” and write the candidate’s name on the line provided. Do not mark more choices than allowed. If you make a mistake, ask an election officer for a new ballot. (The old ballot will be voided.)
2. When you finish marking your ballot take it to the eScan. If the eScan displays the “Ready to Scan message, insert your ballot into the ballot feed slot. The eScan will scan ballots inserted in any orientation and reads both sides of a double-sided ballot at the same time.
3. The “Scanning Ballot” screen displays as the eScan reads the ballot. Watch and wait for any voter instruction messages. If the ballot is properly marked, the eScan accepts the ballot and displays a waving American flag to indicate that the ballot has been recorded. If the ballot is not properly marked, the eScan will display Voter Instruction messages.
|A Voting Demo for the eScan from Nevada County CA:|| A Pollworker Video from Nevada County CA:|
Unsecured network interfaces Network interfaces in the Hart system are not secured against direct attack. Poll workers can connect to JBCs
or eScans over the management interfaces and perform back-ofﬁce functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more units in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs
in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.
Vulnerability to malicious inputs Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to conﬁrm it in an end-to-end test.
No or insecure use of cryptography The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we iound a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.
Failure to protect ballot secrecy Hart’s system fails to adequately protect ballot secrecy. A poll worker or election ofﬁcial with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted.