2012 Accomplishments

A Sampling of Verified Voting’s Highlights from 2012 

Safeguarding Elections: Information is Power

Increasing Voter Confidence through Verifiable Ballots and Better Audits

Better Alternatives for Military, Overseas and other Remote Voters

Getting the Message Out

We generated eye-opening media coverage this year with insights into how prepared for the November Presidential Election the states were — or were not. Our “Counting Votes 2012: A State By State Look At Election Preparedness” report launched in July was covered first by USA Today in a nationwide story on the vulnerability of returning votes over the Internet. That story also ran in a dozen other publications as diverse as the Army Times, the Des Moines Register, and Investment Watch. In all the report generated 108+ major stories across the nation and even internationally. More coverage here and below:


2015 Verified Voting Year in Review

With your help, we’ve worked hard for more verifiable voting systems and policies in 2015. What follows is a partial list of activities and accomplishments:

This year we’ve seen our research and resources cited extensively, and it shows we’re making a difference in ensuring that issues about the technology and security of voting are being heard. Verified Voting collaborates closely with you, our state and national partners and allies as well as individuals who help support what we do and foundations that believe in a democracy based on reliable, evidence-based elections. Together we have increased public awareness and influence policy to improve the integrity, accessibility and verifiability of U.S. elections.

To support our work, visit http://verifiedvoting.org/donate — your contribution will be matched by a generous donor through the end of the year!

Download full document:

2015 Year in Review

 


2017 map


About Us

Test 2 Test


Blog

Do Not Delete, this page is the container for the VV Blog


Careers

Current Openings:

Verified Voting Is Seeking a New President

 


Changes from 2006 to


Check Your Registration

Throughout the summer and fall we’ve been hearing about possible threats to voting systems and registration databases.  After their primaries, both Arizona and Illinois discovered their online Voter Registration Databases had been hacked, potentially disenfranchising voters.

We want to make sure that everyone who shows up, whether on Election Day or for early voting, will have the opportunity to cast their vote. But registration deadlines for some states have already passed.  Others are passing very soon.  It’s important to take action immediately to ensure that you will be eligible to vote.

Quickly approaching deadlines:

AZ 10/10/16

GA 10/11/16

PA 10/11/16

FL 10/11/16

OH 10/11/16

IL 10/11/16 (Grace period through Election Day)

IN 10/11/16

ID 10/14/16 (Election Day Registration Available)

KY 10/11/16

LA 10/11/16

MI 10/11/16

NM 10/11/16

TN 10/11/16

TX 10/11/16

MO 10/12/16

NC 10/14/16

NY 10/14/16

OK 10/14/16

VA 10/17/16

KS 10/18/16

MD 10/18/16

MN 10/18/16

NJ 10/18/16

OR 10/18/16

WV 10/18/16

MA 10/19/16

WI 10/19/16 (Election Day Registration Available)

 


copy categories


Defcon Summary with Harri Hursti and Matt Blaze

At the annual DEF CON conference on July 27-30, 2017, a “Voting Village” provided the opportunity for hackers to attempt to breach the security of electronic voting machines.  Some of the machines that were shown to be vulnerable are still deployed in elections.  Verified Voting Advisory Board Members Harri Hursti and Matt Blaze coordinated this effort and are working on a report.

We recently held a debriefing conference call with Matt and Harri, a recording of which is linked below.  Please note: We had some minor technical problems with the recording.  The sound file cuts off the very first sentence or two, so the recording begins with Harri Hursti in the middle of a sentence.  There is a point in the call where the recording goes silent for about 5 seconds.  The sound quality of the call is not great, but it is understandable and there is great information in the discussion. We apologize for the technical glitches.


 

Press Coverage

For decade-old flaws in voting machines, no quick fix | The Parallax August 11, 2017

Our Hackable Democracy | New York Review of Books August 10, 2017

Defcon Hackers Made Short Work of Voting Machines. Now What? | GCN August 8, 2017

Hacking the Vote: Why Voting Systems Aren’t as Secure as You Might Think | KQED August 8, 2017

Voting System Hacks Prompt Push for Paper-Based Voting | Dark Reading August 7, 2017

DEFCON Hackers Found Many Holes in Voting Machines and Poll Systems | IEEE Spectrum August 3, 2017

A Solution to Hackers? More Hackers | New York Times August 2, 2017

To Fix Voting Machines, Hackers Tear Them Apart | WIRED August 1, 2017


Docs


California Secretary of State Kevin Shelley Addresses Voting Systems Panel - December

California Secretary of State Kevin Shelley gave the following address before California’s Voting Systems Panel (VSP) and members of the public on December 16, 2003. Secretary Shelley spoke during the presentation of the results of an audit of Diebold Election Systems hardware, software, and firmware installed in 17 California counties. After Secretary Shelley completed his speech, the audit results were presented. The audit revealed that among the random selection of Diebold’s systems in those 17 counties, NO instances of certified software were discovered. Further, it was determined that in Los Angeles and 2 other counties, the firmware in use on the audited machines had never been submitted for Federal certification, as required by California law, prior to State certification. It was further revealed that all of these machines were used in their uncertified configurations in both the November 2003 and the October recall election.

Members of the Voting Systems Panel and Ladies and Gentleman behind me, I understand, from staff, that I, as Secretary of State, am breaking precedent by appearing before this panel. I appreciate all of the sage advice that you give me and recommendations that you make, but I felt it appropriate to break precedent, given the circumstance of the item you are hearing and discussing at the moment. My concern is beyond the individual item that is being discussed as it applies to Diebold and the recommendations to be made in that regard. It’s much larger than that.

The core of our American democracy, members, is the right to vote. And implicit in that right is the notion that that vote be private, that vote be secure, and that vote be counted as it was intended when it was cast by the voter. I think what we’re encountering is a pivotal moment in our democracy where all that is being called into question – the privacy of the vote, the security of the vote, and the accuracy of the vote. It troubles me, and it should trouble you.

Now, initial presentation was just made on the findings of the report, and I want to thank you very much for conducting the study and for the important review you provided. I know the VSP will soon be asking questions and then making some recommendations, but there are a number of things that this report details that are very troubling. There were unqualified uses of software that had not been approved by the Federal government; there were uncertified uses of software that had not been certified by the State government; and the software was used in a number of instances. That is deeply troubling because it’s a violation of the elections code. There were lax accounting procedures, whether it be by counties or whether it be by this very agency, where we have not had a sufficiently extensive mechanism to assess, on a regular basis, what systems were in use.

I think that, on the county level, the audit reinforces my comments on American democracy – that on the county level, the physical security of the voting is sound and the county registrars and their excellent staff are doing a very good job in ensuring that security, but that the technical security is less sound, and the procedures that should be and must be in place at the county level are not sufficiently in place now.

At the same time, we, the Secretary of State’s office – the entity the election code charges with the responsibility to certify systems – bear responsibility if we’re not on a consistent and regular basis assessing what software systems are in place. I believe we have the finest elections staff of any Secretary of State operation in the country (no disrespect to the other forty nine). Having said that, for every state election program, it’s a new era and we must adjust our procedures, our assessment mechanisms, our approaches towards assuring the privacy, accuracy, security, and integrity of those votes. Now I know a number of recommendations will be made today. I look forward to implementing the recommendations of this panel to provide, from this office’s perspective, stronger mechanisms to address them – be it bi-annual assessments, be it regular auditing, be it spot checks, be it a number of things that came out of the recommendations of the touch screen task force.

You know it’s very interesting that, recently when I made the decision to require a paper audit trail, a number of county officials very respectfully denounced them and a number of vendors, many of whom are represented behind me, said it wasn’t necessary, said their machinery was secure. At the same time, a number of those within the community, the voter advocacy community, have oft times alleged Armageddon if we don’t make immediate changes. Well you know, I don’t know who’s right.

I’m like the average voter. I don’t know. And because I don’t know, I want the confidence that a paper trail provides. And like an average voter, I want the confidence that a stronger assessment mechanism at the state level will provide. And like the average voter, I want the confidence that stronger procedures at the county level will ensure the accuracy, integrity and privacy of those votes. Once again, the right to vote is the most precious demonstration of our democracy. We must take it seriously, we must cherish it, and all of us, at the county level, at this office, and in the election vendor community, must act accordingly.

Now the audit is not complete. We don’t have all the findings as yet, and we don’t know what’s occurred comprehensively. I would hope that the end result sanction that we suggested we might make today, pursuant to this hearing taking place, won’t be the suggestion of de-certification of Diebold systems. I would hope that won’t be the case. I certainly hope that won’t be the case with other vendors as well. But if we find that there are gross discrepancies and violations, I am prepared to go down that road, and so this needs to be taken very, very seriously. And with that, I thank you for your time and I’ll let you continue with your hearing.


Changes Ahead: A Look at Voting System Testing and Certification

Download the Report
Changes Ahead – A Look At Voting System Testing & Certification (.pdf)

Voting is fundamental to who we are as citizens, a right to express our views that we may take for granted, whether or not we exercise it each election. But however engaged we may be in the political issues or processes of the day, most of us think about the mechanics of how we cast our votes very rarely if at all. Most simply assume that our voting infrastructure will work and work correctly, that ballots will be available and equipment will function when we go to the polls and when the votes are being counted. And many may assume there is one centralized federal system to govern how voting equipment is tested and qualified for use. In fact there is a patchwork of 51 different sets of rules and policies, which govern how those systems are approved for use on Election Day. Though each state has its own requirements, many similarities exist.

This informal report provides a look inside that framework for voting system testing and certification in the states and the nation, and explores how California’s current process fits into that framework. What do states do to approve a voting system? How do they do it? Who does it? What works well? It also examines potential changes to the framework: what processes or steps are not done but perhaps should be, to better ensure the security and usability of voting systems?

This is not intended to be a comprehensive statutory or regulatory review. Instead, examples of key elements of how technology is tested are included to further inform our understanding of voting system certification – even from outside of the voting machine realm. Included also are key recommendations and challenges that remain to be resolved.

In preparing this report, Verified Voting interviewed individuals from federal, state and local jurisdiction agencies involved in testing, certification or related matters, as well as researchers and policy analysts who have examined the subject matter. We also gleaned insights from conferences on voting system testing and certification at both state and federal levels. We are grateful to all for their willingness to share their extensive knowledge on the topic. In particular we would like to thank the Future of California Elections project team, and most especially the Irvine Foundation, without whose support this project would not have been possible.


Electronic Voting: An Overview of the Problem

Dr. David Dill is Professor of Computer Science at Stanford University and founder of the Verified Voting Foundation and VerifiedVoting.org. The following talk was presented during the April 18 2005 hearings at the Carter-Baker Commission on Federal Election Reform in Washington, D.C.

Introduction

The winners of an election are usually satisfied with the outcome, but it is often more challenging to persuade the losers (and their supporters) that they lost. To that end, it is not sufficient that election results be accurate. The public must also know the results are accurate, which can only be achieved if conduct of the election is sufficiently transparent that candidates, the press, and the general public can satisfy themselves that no errors or cheating have occurred.

Unfortunately, the advent of paperless electronic voting (e-voting) is moving us away from election transparency. E-voting technology is extremely opaque. No one can scrutinize some of the most critical processes of the election, such as collection of ballots and counting of votes, because those processes will be conducted invisibly in electronic circuits. Voters have no means to confirm that that the machines have recorded their votes correctly, nor will they have any assurance of that their votes won’t be changed later.

In the presidential election of 2004, almost 30% of American voters reportedly used evoting machines, and this number is increasing because of the deadlines set by the Help America Vote Act, (HAVA) and the funding made available for new equipment by that law.

Accountability

The basic problems of e-voting can be understood without an in-depth knowledge of computer technology. A helpful analogy was proposed by computer security researchers Drew Dean and Dan Wallach: Suppose voters dictated their votes, privately and anonymously, to human scribes, and that the voters were prevented from inspecting the work of the scribes. Few would accept such a system, on simple common-sense grounds. Obviously, the scribes could accidentally or intentionally mis-record the votes with no consequences. Without accountability, a system is simply not trustworthy, whether or not computers are involved.

Are computers different in some important way from human scribes? Computers can execute programs accurately and with great speed, but they are designed and programmed by people who are no more reliable than our hypothetical scribes. Indeed, the construction of completely accurate and reliable hardware and software is one of the great unsolved problems of computer technology — a problem that is actually growing worse with the burgeoning complexity of computer systems.

Computer systems can also be subverted intentionally. Most people are familiar with the “hacking” of systems by outsiders, often through the internet. Experience in computer security has shown that resisting such attacks is extremely difficult. The attackers are often very creative and determined, making them formidable adversaries. However, the greater threat to most systems is from insiders. Software can be modified maliciously by people with legitimate access before it is installed on thousands of individual voting machines. Indeed, much computer crime is perpetrated by insiders, because it is easier for them to commit crimes, and they are less likely to be caught. There is no reason we should be more trusting of insiders in the election industry than in other industries, such as gambling, where sophisticated insider fraud has occurred in spite of extraordinary measures taken to prevent it.

Many lay people assume that malicious software can somehow be detected by inspection or testing, but, perhaps surprisingly, there is no reliable way to do this. Computer systems are the most complex artifacts known; finding cleverly hidden malicious code is much harder than finding a needle in a haystack. (For some benign and fun examples of how easy it is to hide things in software, search for “Microsoft Easter Eggs” on the Internet.)

In the public debate, it may seem that there is some disagreement among technologists about the dangers of paperless e-voting, because the same two computer scientists opposing paper ballots speak at almost every forum. However, the overwhelming consensus of technical opinion is that e-voting is dangerous, and that voters need to be able to verify that their votes were properly recorded. The “Resolution on Electronic Voting”, which I wrote in January 2003, has been endorsed many of the top researchers in computer science, including the authors of several of the most widely read texts on computer security. Also, the Association of Computing Machinery (ACM), the largest professional organization of computer technologists, has taken the position that “… voting systems should enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system.” A poll was conducted on this question, and fully 95% of the respondent ACM members agreed with the statement.

Auditing and Paper Ballots

Systems are usually made trustworthy through independent checks, called “auditing.” Secret ballots make voting uniquely difficult to audit. In other areas, such as finance and e-commerce, audit trails necessarily include the identities of the parties involved in transactions, but voting systems go to great lengths to destroy this information by design, as required by our system of secret ballots.

To understand how voting systems can be made auditable, let’s return to the scribe analogy. One solution would be to eliminate the problematic scribe and have the voter fill out the ballot and deposit it in a ballot box. Or we could make the scribe accountable for his work by allowing the voter to inspect the ballot and deposit it in a secure ballot box (or watch the scribe do so). Analogous solutions will work for voting. We could simply use paper ballots marked by hand and counted by optical scanners; indeed, many U.S. voting jurisdictions use these systems, and have for decades, and the systems are highly accurate. Or “voter verifiable printers” could be attached to touch-screen machines to produce tangible ballots that voters could inspect.

Instead of attempting to solve the unsolvable problem of insuring the integrity of computer hardware and software, these measures place the responsibility on the voter to check that his or her ballot is filled out properly. Imperfections in the technology, whether from unreliable computers or unreliable pens, can be tolerated because each voter can check that his vote was handled properly. With these paper ballots, it is possible to do a meaningful manual count, for election auditing or in a recount, because the records being counted will be known to reflect the voters’ intent.

This generic scheme has been described by various cumbersome phrases, such as “voterverifiable paper audit trail” or “voter-verified paper ballots.” Unfortunately, the awkward “voter-verified” modifier is necessary. A casual reading of HAVA has led many to conclude that it already requires voter-verified paper ballots, since it requires a “manual audit capacity.” Unfortunately, this language is being interpreted to allow printing paper ballots from electronic memory after the close of the polls, for use in a manual recount.

Of course, this interpretation renders the “manual audit capacity” nearly useless, because these paper records may not reflect the intent of the voters, who were unable to check the electronic records on which they are based. Hence, it is necessary to ensure that the voters are able to inspect the paper ballots before they are cast.

Paper ballots are not a magical guarantee of accurate and fraud-free elections. Indeed, there is a long history of errors and election fraud with paper ballots, but those problems stem from inadequate procedures, inadequate checks and balances, and inadequate auditing, not from the use of paper. Improving the trustworthiness of our elections will require attention to many other issues. If machines are used to count the ballots, they must be doubled-checked sufficiently using manual counts to detect and deter systematic fraud. The physical security of the paper ballots must be maintained from the time when they are marked by the voter until the last recount is complete. Above all, all aspects of the election must be open to public scrutiny, and the public must actually scrutinize the conduct of elections.

The conduct of elections in many places falls well short of these ideals. But the solution to that problem should be to improve those procedures, not to eliminate the evidence that could be used to detect errors or fraud. Using paperless electronic voting has been likened by Kim Alexander, President of the California Voter Foundation to “dealing with fraud by eliminating the accounting department.” An ongoing nationwide effort to improve election practices is needed very badly.

These arguments against paperless e-voting are often dismissed on the grounds that “no election technology is perfect.” While this is an undeniable truth, problems vary with different technology. Paperless e-voting is more dangerous than paper ballot systems because it opens the door to wholesale errors. A single bug, or malicious software installed by a single individual, could be distributed to thousands of machines around the country, which could then undetectably change a very large number of votes. And, contrary to the frequent assertions of vendors and some local election officials, there are no “checks and balances” that can reliably prevent or even detect these problems without paper ballots.

How did we get there?

The trend towards paperless e-voting has been driven by the laudable goals of enfranchising more voters and increasing the accuracy and integrity of the voting system. However, a crucial mistake was made, which was to make policy about computer technology without being informed about the limitations and hazards of that technology. Policymakers, without independent knowledge or advice about computer security, were assured by vendors and other proponents of the technology that it was safe, and did not inquire further.

Many claims are made of the superiority of e-voting, for example: the machines are more accurate, and allow users to correct mistakes; they are accessible to people with disabilities who cannot use paper or mechanical voting machines without assistance; they are easier for poll workers to use; and they save the cost of paper ballots.

Even taken at face value, these advantages would not justify sacrificing the transparency of our elections, but many of these claims turn out to be illusory when examined more closely. Studies have indeed shown that the best e-voting equipment is more accurate than the worst technologies, such as pre-scored punch cards, but most of the same studies show that precinct-based optical scan systems are actually more accurate than e-voting machines. (When using a precinct-based optical scan system, the voter fills out a paper ballot by hand and then places it in the optical scanner, which counts and stores the ballot. If there are too many votes for an office or a stray mark that prevents the ballot from being read properly, the scanner rejects it so the voter can correct the problem before casting a vote).

New equipment has recently become available to make it possible for voters with disabilities such as blindness to use optical scan ballots while voting privately; for example, there is a machine that allows voters to read and mark an optical scan ballot using a touch-screen or audio interface. Furthermore, while e-voting machines are accessible in theory, it is unknown how many voters with disabilities have been able to use them successfully in practice. The Silicon Valley Council of the Blind surveyed their members after a recent election only to discover that very few were able to use the new machines that had just been purchased in Santa Clara County, California. (http://www.verifiedvotingfoundation.org/article.php?id=2102)

The claim that e-voting is easier for poll workers to deal with is implausible, and seems not to have been confirmed by experience. Dealing with a workplace full of computers is rarely easy in this day and age. Counties acquiring new e-voting equipment have had to implement extra measures to make sure there are technically capable poll workers (a difficult task) and to have technicians on call to deal with machine problems. Indeed, in recent elections many of the observed failures of e-voting equipment are blamed (often unjustly) on the inability of workers at the polling places to properly setup and operate the equipment.

Finally, e-voting machines cost at least three times as much as optical scan systems to purchase. Even ardent proponents of e-voting admit that this cost difference cannot be recouped in less than 15 years, which is greater than the lifetime of most computerized equipment. There is also some evidence that on-going costs for support and maintenance of e-voting equipment are higher than were estimated in many jurisdictions.

Where do we go from here?

A trustworthy election system depends on three factors: technology, procedures, and observation. Changes are needed in each of these areas. In many cases, election laws will need to be amended.

As was argued above, we need technology that allows each voter to verify that his or her vote was correctly captured. At this time, the only technology that can realistically meet this need is paper, because most voters can verify the contents without computer mediation (which is inherently untrustworthy), because it can be written indelibly, and because the procedures for protecting paper are understandable by ordinary poll workers and voters.

There are now several proposals for voter verification based on advanced cryptography.

These systems are intriguing, but there are still many challenges to be met before they can be responsibly deployed in governmental elections. First, they are not widely understood even by computer science researchers, and have not yet been subjected to the in-depth scrutiny by independent experts that is necessary to be reasonably sure that a system is a secure. Indeed, some experts have commented that these schemes are much more complex than secure computer and communications equipment that has been certified for U.S. military and intelligence applications. Second, the operational and logistical details for using these schemes in real elections have not been worked out. Finally, and most importantly, these systems are completely non-transparent to the average voter, who cannot begin to understand how they work or why they should be trusted.

The second component of a trustworthy election is the use of appropriate procedures. If paper ballots are used, they have to be protected, and the processes for storing, transporting, handling, and counting them have to transparent. Ideally, members of the public and non-governmental organizations as well as political party representatives should be able to observe all of the steps of an election, including machine testing, polling place operations, counting of votes, auditing and recounting.

One of the most important reforms that could be adopted is routine auditing of elections by choosing a small random sample of the ballots, and manually counting them. Careful auditing should occur regardless of whether an election was close or whether there were apparent problems, results of the audit should be made public, and problems detected by the audit should be investigated. By adopting random manual audits universally, we can distinguish the idea of objectively checking an election, to reassure voters of its integrity, from recounts requested by candidates, which are often perceived as tactics for reversing an unwelcome election outcome. Audits are also a mechanism for election quality control. Routine audits will often catch problems in the conduct of elections that are not close, so they can be corrected before they cast the outcome of a closer election in doubt.

The final factor in trustworthy elections is independent observation. In too many states, election laws and practices do not allow independent observers to be present during crucial parts of the process, such as the testing of equipment. In others, only certified representatives of candidates or political parties may observe. This is fundamentally wrong. Elections exist first for the people, not for candidates and parties, and the people, the press, and representatives of non-governmental organizations must be allowed to observe. Finally, the public has an obligation to participate in elections, not only as candidates, but as poll workers and witnesses to the process. This participation should be encouraged by election officials as well as by independent organizations such as ours.

Fortunately, some of these reforms are already underway. Many people in the U.S. are belatedly recognizing that too many states and counties rushed into using e-voting in an overreaction to the problems in the 2000 presidential election. The issue is now drawing a great deal of attention. Many states have changed their plans to convert to e-voting, and now insist on paper ballots. At the Federal level, there are multiple bills in the House and Senate that would require voter-verified paper ballots.

Behind these developments is a large and effective grass-roots movement. The “paper trail movement” is unusual; it does not follow conventional partisan and ideological divides, and it has the participation of prominent computer science researchers, who have great expertise in the relevant areas of technology, and who rarely speak out on other policy issues. Last summer, more than 350,000 U.S. citizens submitted petitions demanding voter-verified paper ballots. This movement will continue to gain momentum, in part because increased attention to elections will expose more and more problems with the use of e-voting.

Conclusions

The recent controversy about electronic voting has focused attention on the conduct of elections, which had been neglected by the public and policymakers for far too long.

Although this attention is uncomfortable for many in the elections community, it is healthy. Ultimately it will result in stronger foundations for our democracy.

 


Letter to the President

Download Verified Voting’s letter to President Barack Obama (PDF)

December 5, 2012

The Honorable Barack Obama
President of the United States
The White House
1600 Pennsylvania Avenue, N.W.
Washington, DC 20500

Dear President Obama:

We agree wholeheartedly with your call to eliminate long lines in voting.  Citizens should not have to choose between waiting for hours to exercise their right to vote or being disenfranchised. However, our nation was lucky. The Presidential election results could have been much closer, and there could have been disputes about who rightfully won. Since many swing states still use computerized direct- recording electronic voting machines (DREs – typically touch screens) that produce results that cannot be independently verified, recounts would have been impossible. Well-designed voting systems allow verification of the results without reliance on software.

The use of paper ballots counted by optical scan machines has proven to be effective at avoiding the problems that resulted in long lines in many states. If a voter is required to mark his or her entire ballot on a DRE, and if there is an insufficient number of DREs, long lines such as those that occurred in the recent election are inevitable. Adding privacy booths for marking paper ballots is far less expensive than purchasing new DREs.

As equipment ages, any electronic voting technology will experience failures ranging from power problems to breakdowns. Such failures of DREs in many polling places in the 2012 election were additional factors in creating long lines. Precinct-based optical scan systems, however, need not create excessive delays, because many voters can mark their paper ballots simultaneously. It takes very little time to feed a paper ballot into an optical scanner. If the scanner is not working because of a technical failure or a power outage, voters can still deposit their paper ballots into ballot boxes for later counting.

Voting systems in current use are run by unobservable software that can produce erroneous results, either due to inadvertent errors or malicious attacks. Therefore, after an election it is imperative to check that the software has behaved correctly. That means that election results need to be audited independently of voting system hardware and software to make sure that the software has performed correctly, and it must be possible to recount all the votes in order to confirm the election results.

The outcomes of an election that uses optical scan machines can be verified by manually examining a randomly selected set of paper ballots (a post-election ballot audit) for which a sound chain of custody has been maintained. A properly conducted audit will either confirm that the machine results are correct or will determine the correct results by a full hand recount, if necessary. Discrepancies uncovered by post-election ballot audits should be reported and analyzed.

By contrast, although some performance information can be obtained, it is not possible to conduct a meaningful audit or recount of elections using paperless DREs, nor is it possible to determine that the electronic results are correct. DREs are not needed for voters with disabilities, since accessible ballot marking devices that produce paper ballots that can be audited and recounted are now available.

Internet voting (the return of voted ballots over the Internet including fax and e-mail) has been proposed as a solution to long lines at the polls. But since it is vulnerable to attacks from anyone/anywhere, Internet voting must not be allowed at this time. In addition to security and accuracy risks, Internet voting threatens the secret ballot, which is key to avoiding voter coercion and vote buying and selling. The secret ballot was originally instituted not as a right that an individual can waive, but rather as an obligation of the government to protect all citizens from coercion and intimidation as they cast their votes. Because of multiple intrinsic risks, Internet voting should be forbidden unless and until proposed systems have undergone extensive, independent public review and open testing to ensure that they have solved the fundamental problems of security, privacy, authentication, and verification.

Finally, to improve future elections we need to start measuring and publicly reporting poll wait-times, the accuracy of vote counts, and all incidents that interfere with the conduct of a free and fair election. All federal contests should be audited and, if the audits uncover problems, fully recounted.

In summary, we strongly recommend Federal legislation to prohibit Internet transmission of cast (marked) ballots in Federal elections and to encourage local governments to replace aging DRE voting systems with paper ballots tabulated by precinct-based optical scan machines. These two steps will greatly enhance our national capacity to ensure both that every ballot is recorded as the voter intended and counted as cast, and that the results can be verified as accurate.

The signers of this letter include elections officials, as well as experts in cyber security, election law, post-election audits, election integrity, and accessible technologies. We would be delighted to be of assistance in any way possible.

Our great democracy deserves voting systems that facilitate the act of voting without creating long lines and that attain the highest standards of accuracy, accessibility, reliability, transparency, and security.

Respectfully,

[AFFILIATIONS ARE FOR IDENTIFICATION PURPOSES ONLY]

Contact: Barbara Simons, IBM Research (retired); member, EAC Board of Advisors; Chair, Board of Directors, Verified Voting; Former President, ACM; Coauthor, Broken Ballots: Will Your Vote Count simons@acm.org 650-328-8730

Andrew W. Appel, Eugene Higgins Professor of Computer Science, Princeton University
Matt Blaze, Assoc. Professor, Computer & Information Science, Univ. of Pennsylvania Harvie Branscomb, Colorado Voter Group
Duncan A. Buell, Computer Science and Engineering Professor, Univ. of South Carolina David Dill, Computer Science Professor, Stanford Univ.; Board of Directors, Verified Voting Susan Dzieduszycka-Suinat, Overseas Vote Foundation
Jeremy Epstein, Senior Computer Scientist, SRI International
David J. Farber, Distinguished Professor of Computer Science & Public Policy, Carnegie Mellon University
Lowell Finley, Member, EAC Standards Board
Irene Etkin Goldman, Voting Rights Advocate, Board Chair, Coalition for Peace Action, Princeton, N.J.
Mary Ann Gould, Co-Founder, Executive Director, Coalition for Voting Integrity
J. Alex Halderman, Assistant Professor of Computer Science & Engineering, Univ. of Michigan
Joseph Lorenzo Hall, Senior Staff Technologist, Center for Democracy & Technology
Mark Halvorson, Founder and Former Director, Citizens for Election Integrity Minnesota
Candice Hoke, Director, Public Monitor of Cuyahoga Election Reform; Law professor, Cleveland State University
Representative Rush Holt, Member of Congress
Harri Hursti, Security Researcher, CTO SafelyLocked
Holly Jacobson, Co-Founder, Voter Action
David Jefferson, Computer Scientist, Lawrence Livermore National Laboratory; Board of Directors, California Voter Foundation; Board of Directors, Verified Voting
Douglas W. Jones, Associate Professor of Computer Science, Univ. of Iowa; Coauthor, Broken Ballots: Will Your Vote Count
Earl Katz, Public Interest Pictures
Douglas A. Kellner, Co-Chair, New York State Board of Elections
Marybeth Kuznik, Executive Director, VotePA; Judge of Elections, Penn Township, Westmoreland County, PA
Mark Lindeman, Adjunct Assistant Professor of Political Science, Columbia Univ.
Collin Lynch, Intelligent Systems Program, University of Pittsburgh; Past President, VoteAllegheny; Member, VotePA; Past Co-Chair, Allegheny County Citizen’s Advisory Panel on Election Systems
Margaret MacAlpine, Advisory Comm. Member, California Post Election Risk-Limiting Audit Pilot Program
Neal McBurnett, ElectionAudits (the open source project)
John McCarthy, Lawrence Berkeley Nat’l Laboratory Computer Scientist (retired); Verified Voting
Dan McCrea, President and Co-Founder, Florida Voters Foundation
Walter Mebane, Professor of Political Science and Professor of Statistics, Univ. of Michigan
Justin Moore, Board of Advisors, Verified Voting Foundation
Michelle Mulder, Consultant, Verified Voting Foundation
Peter G. Neumann, Principal Scientist, SRI Internat’l Computer Science Lab; Moderator, ACM Risks Forum
Ronald L. Rivest, Viterbi Professor of Computer Science, MIT Lida Rodriguez-Taseff, Miami-Dade Election Reform Coalition
Aviel D. Rubin, Professor of Computer Science and Technical Director of the Information Security Institute, Johns Hopkins Univ.
Noel Runyan, President of Personal Data Systems, Campbell, CA.
Ion Sancho, Leon County Supervisor of Elections
Bruce Schneier, Chief Security Technology Officer, BT; Security technologist and author
Kevin Shelley, Former California Secretary of State
Stephanie Singer, Philadelphia City [Elections] Commissioner
Pamela Smith, President, Verified Voting
Howard Stanislevic, Founder, E-Voter Education Project, NY, NY
Philip B. Stark, Professor and Chair, Department of Statistics, Univ. of California, Berkeley
Paul Stokes, United Voters of New Mexico
Penny M. Venetis, Clinical Prof. of Law, Judge Dickinson R. Debevoise Scholar; Co-Director, Constitutional Litigation Clinic, Rutgers School of Law-Newark
David Wagner, Professor of Computer Science, Univ. of California, Berkeley
Luther Weeks, CTVotersCount
Rebecca Wilson, Co-Director, SAVE our Votes: Secure, Accessible, Verifiable Elections for Maryland

cc: House Committee on Judiciary
House Committee on House Administration
Senate Committee on Rules and Administration
Congressman Gerry Connolly
Congressman George Miller
Congressman John Lewis
Senator Chris Coons
Senator Mark Warner
House Speaker John Boehner
House Minority Leader Nancy Pelosi



Privacy Statement of Verified Voting Foundation and VerifiedVoting.org

Privacy Statement of Verified Voting Foundation, Inc., and VerifiedVoting.org, Inc. Statement No 22093
Modern information and communication technologies play a fundamental role in the activities of an organisation like Verified Voting Foundation, Inc., and VerifiedVoting.org, Inc. We are based in Carlsbad CA, USA.

Our principal activities are: election integrity advocacy. Our privacy policy covers Verified Voting Foundation, Inc., and VerifiedVoting.org, Inc. and its websites.

Organisation Name: Verified Voting Foundation, Inc., and VerifiedVoting.org, Inc.
Address: 1550 Bryant Street, Suite 855
City, Zip: San Francisco, CA 94103-4879
State: CA
Country: USA
Controller: Executive Director
Websites(s): http://www.verifiedvoting.org/

Providing Visitors with Anonymous Access You can access our website home page and browse our site without disclosing your personal data.

The Services and Links of Our Website Our Web site enables you to communicate with other visitors or to post information to be accessed by others. When you do so, other visitors may collect your data. Our website does not include links to third party Web service providers.

Automatic Collection of Information We do not automatically log personal data nor do we link information automatically logged by other means with personal data about specific individuals.  We use cookies to store personal data or we link information stored in cookies with personal data about specific individuals. We do so for the following purposes:

Data Collection and Purpose Specification We collect the personal data that you may volunteer while using our services.  We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations. To access the table of personal data collected and purposes for which they are used, please click here  We may collect and use personal data for the additional purpose of: Volunteering for election integrity advocacy If we wish to use your personal data for a new purpose, we offer you the means to consent to this new purpose: by indicating in a box at the point on the site where personal data is collected.

Children’s Privacy We do not knowingly collect personal data from children. We take specific steps to protect the privacy of children by: Additionally, to ensure that children’s privacy is respected on our website, we remove any such data if we find out that it has been entered into our database.  We do provide information about our personal data practices in relation to children on our home page and wherever we knowingly collect personnal data from children on our website.

Disclosure and Visitor Choice We do not disclose your personal data to our subsidiaries or other organizations. Where we disclose your personal data for purposes which are different from those indicated in the table mentioned above, we offer you the opportunity to consent to disclosure:

Confidentiality / Security We give you the option of using a secure transmission method to send us the following types of personal data:

We have implemented security policies, rules and technical measures to protect the personal data that we have under our control from:

All our employees and data processors, who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of our visitors’ personal data. We ensure that your personal data will not be disclosed to State institutions and authorities except if required by law or other regulation.

Access to the personal data we may hold about you You can ask us, by:

Upon request, we will provide you with a readable copy of the personal data which we keep about you, almost instantaneously on-line. – although we may before require proof of your identity -. We will provide the information without any charge. We allow you to challenge the data that we hold about you and, where appropriate, you may have the data: erased, rectified or amended, completed

We do not reserve the right to refuse to provide you with a copy of your personal data.

Privacy Compliance Our privacy policy is compliant with the following instrument: There are no global or regional regulatory or self-regulatory schemes applicable to our website or organization.  In order to demonstrate that our privacy policy accords with the above privacy instrument, we are:

Self Assessment procedure

Name or designation of the privacy policy person or service Executive Director
URL http://www.verifiedvoting.org/
Address 1550 Bryant St., Suite 855
San Francisco, CA 94103
Country USA
Privacy Support If you have an enquiry or concern about our privacy policy, please contact:

Contact 1
Name/designation : Executive Director
Department :
Address : 454 Shotwell Street, San Francisco, CA 94110 USA
Phone Number : +1 415 487-2255
Fax Number : +1 928 244-2347
Email address : privacy@verifiedvoting.org
URL : http://www.verifiedvoting.org/privacy/

We do not recommend another means by which visitors’ concerns may be addressed.

 

TABLE of personal data collected and purposes for which they are used

Primary personal data/Business information

 

 

 

 

x volunteered by each visitor
collected from public records or bodies
collected from private organisations

Primary personal data
Technical administration of the website Research &development Customer Administration Marketing Trading in personal data
Name

x

x

x

x

Gender

Address

x

x

E-mail address

x

x

x

x

Phone/Fax number

x

x

other (describe)

 

 


Business Information
Technical administration of the website Research & development Customer Administration Marketing Trading in personal data
Employer/organisation

x

x

Job title

x

x

Address

x

x

E-mail address

x

x

Phone/Fax number

x

x

other (describe)

 

 

Other personal details and profiling data

 

 

 

 

x volunteered by each visitor
collected from public records or bodies
collected from private organisations

 

 


Technical administration of the website Research & development Customer Administration Marketing Trading in personal data
Personal details

Physical description

Family characteristics

Education and skills

x

Life style or personal tastes

Financial resources

other (describe)

 

 

Identifiers

 

 

 

 

x volunteered by each visitor
collected from public records or bodies
collected from private organisations

 

 


Technical administration of the website Research & development Customer Administration Marketing Trading in personal data
On-line identifiers

x

x

Financial identifiers

x

identifiers assigned by Public bodies

Biometrics identifiers

other (describe)

 

 

Specific Data

 

 

 

 

x volunteered by each visitor
collected from public records or bodies
collected from private organisations

 

 


Technical administration of the website Research & development Customer Administration Marketing Trading in personal data
Racial or ethnic origin

Political opinions

x

Religious or philosophical beliefs

Trade union membership

Health/Medical data

Sex life

Police/Justice data such as civil/criminal actions brought by or against the visitor

other (describe)

 


 


Donate to the Verified Voting Foundation


Donate to the Verified Voting Foundation by Check

Thank you for your interest in supporting the Verified Voting Foundation! If you would prefer to donate by check, please fill out the form below for our records, mail your check payable to Verified Voting Foundation and mail to:

Verified Voting Foundation
PO Box 460550
San Francisco, CA 94146

You can also donate online.

Donations to the Verified Voting Foundation are tax-deductible to the extent provided by U.S. tax law.

My Fieldset
  1. (required)
  2. (valid email required)
 



cforms contact form by delicious:days


Donate to the Voting News


Donate to VerifiedVoting.org


Donate to VerifiedVoting.org by Check

Thank you for your interest in supporting VerifiedVoting.org. If you prefer to donate by check, please fill out the form below for our records, make your check payable to VerifiedVoting.org and mail to:

VerifiedVoting.org
PO Box 460550
San Francisco, CA 94146

You can also donate online.

VerifiedVoting.org is a 501(c)(4) nonprofit organization and your contribution is not tax-deductible. If you would prefer to make a tax-deductible contribution, please donate to the Verified Voting Foundation.

My Fieldset
  1. (required)
  2. (valid email required)
 



cforms contact form by delicious:days


Donation Page Test


Please contribute to the effort for reliable and publicly verifiable election systems. You can choose to support either the Verified Voting Foundation, a 501(c)(3) nonprofit organization with tax-deductible contributions permitted to the extent provided by U.S. tax law, or VerifiedVoting.org, a 501(c)(4) nonprofit organization (contributions not tax-deductible).

Choose How You Wish to Donate
Verified Voting Foundation

The Verified Voting Foundation is a 501(c)(3) non-profit corporation. Donations to the Verified Voting Foundation are tax-deductible to the extent provided by U.S. tax law.

Donate: VV Foundation

VerifiedVoting.org

VerifiedVoting.org is a 501(c)(4) non-profit corporation to support our lobbying efforts. Donations to VerifiedVoting.org are not tax-deductible.

Donate: Verified Voting

The Voting News

The Voting News is a news service made possible by the Verified Voting Foundation. Please help us maintain The Voting News with a tax-deductible donation!

Donate: Voting News

Other Ways to Support the Verified Voting Foundation

Click here to give via Paypal (Verified Voting Foundation)

GoodSearch

When you use GoodSearch to search the internet or GoodShop for online purchases, the Verified Voting Foundation recieves a contribution at no cost to you.

Give from your donor advised fund.

Verified Voting greatly appreciates the support of individuals and grant-funding organizations that believe in transparent and publicly verifiable elections. It is our policy not to accept contributions from vendors of election-related equipment or services or any officers, directors or senior-level employees of any vendor. We also do not accept contributions from individuals currently standing for election. Both Verified Voting Foundation and VerifiedVoting.org may also refuse contributions where we feel that the contribution is intended to, or may be interpreted as, interfering with the independent, non-partisan judgment of the Verified Voting Foundation or VerifiedVoting.org staff or board on any issue.


Donor Advised Fund Donations

Give from your donor advised fund.


[/box]


Election Administrators EA Pollbook and EA Tablet

EA_Tablet_600x333Election Administrators’ two primary products are the EA Pollbook and the EA Tablet. While they both serve as electronic pollbooks, they differ in a few important ways.


Events

August 13, 2014 – 10th Anniversary Celebration – San Francisco Bay Area

Join Verified Voting for a cocktail reception celebrating 10 Years of Safeguarding Elections in the Digital Age, featuring a talk by Ron Rivest, PhD., MIT computer science professor, co-founder of RSA Data Security and Verisign, and Verified Voting Board Member.

Wednesday, August 13

5:30-8:30PM

Computer History Museum [map]

1401 N Shoreline Blvd, Mountain View, CA 94043

Hors d’oeuvres and hosted bar in the Museum’s outdoor courtyard

Access to the Autonomous Vehicle Exhibit!

Free parking

Tickets: $50 per person

RSVP by Monday, August 4th

RSVP Here

or Call 760-434-8683

E-mail RSVP@verifiedvoting.org

Event Generously Sponsored by:

intel security

Fenwick and West logo

No, I am not able to attend but please accept my donation

 For more information, please contact rsvp@verifiedvoting.org.


Help Support the Verified Voting Foundation

Please contribute to the effort for reliable and publicly verifiable election systems. The Verified Voting Foundation is a 501(c)(3) nonprofit corporation. Your contribution is tax-deductible to the extent provided by U.S. tax law. If you prefer, you may donate to the 501(c)(4) efforts of VerifiedVoting.org, which include advocating for State and Federal legislation that would promote transparent and verifiable elections.

Choose how you wish to donate:

1. Online Donation With your credit card (Visa, MasterCard, Amex, or Discover), your donation arrives rapidly, although merchant processing reduces your contribution by fees of 2-6%.

2. Check Donation Mail us a check. No fees, but it takes a bit longer and you pay the postage. Please make your check out to “Verified Voting Foundation”.

3. Donate Through PayPal

Note that PayPal donations reduce your donation by fees of 2.9% plus $0.30 per transaction.

Other Ways to Support the Verified Voting Foundation

When you use Goodsearch to search the internet or Goodshop for online purchases, the Verified Voting Foundation recieves a contribution at no cost to you.

Question or difficulty?

If you have any questions regarding the online donation process, please feel free to contact us online or at:
VerifiedVoting.org
PO Box 460550
San Francisco, CA 94146
760-804-VOTE (8683)
321-600-6860 fax


Help Support Verified Voting

Please contribute to the effort for reliable and publicly verifiable election systems. You can choose to support either the Verified Voting Foundation, a 501(c)(3) nonprofit organization with tax-deductible contributions permitted to the extent provided by U.S. tax law, or VerifiedVoting.org, a 501(c)(4) nonprofit organization (contributions not tax-deductible).

Choose How You Wish to Donate
Verified Voting Foundation

The Verified Voting Foundation is
a 501(c)(3) non-profit corporation. Donations to the Verified Voting Foundation are tax-deductible to the extent provided by US tax law.

Donate: VV Foundation

VerifiedVoting.org

VerifiedVoting.org is a 501(c)(4) non-profit corporation to support our lobbying efforts. Donations to VerifiedVoting.org are not tax-deductible.

Donate: Verified Voting

The Voting News

The Voting News is a news service made possible by the Verified Voting Foundation. Please help us maintain The Voting News with a tax-deductible donation!

Donate: Voting News

Other Ways to Support Verified Voting

Donate via Paypal
Verified Voting Foundation




Donate via Paypal
VerifiedVoting.org




  

To donate by check, please make out your check to either Verified Voting Foundation (to receive a tax deduction) or VerifiedVoting.org (to support our legislative advocacy for better election systems, not tax deductible) and mail to:
Verified Voting
PO Box 460550
San Francisco, CA 94146-0550

Verified Voting Foundation
Federal Tax ID#: 20-0765743
501(c)(3) Tax-Deductible
VerifiedVoting.org
Federal Tax ID#: 20-0665713
501(c)(4) Non Tax-Deductible

For information on donating stocks, Click Here

To give from your donor advised fund, Click Here

When you use GoodSearch to search the internet or GoodShop for online purchases, the Verified Voting Foundation recieves a contribution at no cost to you.

Verified Voting greatly appreciates the support of individuals and grant-funding organizations that believe in transparent and publicly verifiable elections. It is our policy not to accept contributions from vendors of election-related equipment or services or any officers, directors or senior-level employees of any vendor. We also do not accept contributions from individuals currently standing for election. Both Verified Voting Foundation and VerifiedVoting.org may also refuse contributions where we feel that the contribution is intended to, or may be interpreted as, interfering with the independent, non-partisan judgment of the Verified Voting Foundation or VerifiedVoting.org staff or board on any issue.


Help Support VerifiedVoting.org

Please contribute our advocacy of legislation and policies that promote reliable and publicly verifiable election systems. Donations to VerifiedVoting.org (a 501(c)(4) organization) are not tax deductible. If you prefer, you may donate to the 501(c)(3) educational efforts of the Verified Voting Foundation with contributions tax-deductible to the extent provided by law.

Choose how you wish to donate:

1. Online Donation With your credit card (Visa, MasterCard, Amex, or Discover), your donation arrives rapidly, although merchant processing reduces your contribution by fees of 2-6%.

2. Check Donation Mail us a check. No fees, but it takes a bit longer and you pay the postage. Please make your check out to “VerifiedVoting.org”.

3. Donate to VerifiedVoting.org via Paypal

Note that PayPal donations reduce your donation by fees of 2.9% plus $0.30 per transaction.

Question or difficulty?If you have any questions regarding the online donation process, please feel free to contact us online or at:

VerifiedVoting.org
PO Box 460550
San Francisco, CA 94146
760-434-VOTE (8683)
321-600-6860 fax


How You Can Play an Active Role in Protecting Elections

usaballot

What a time this is.  A major-party campaign was hacked, and America’s cyber security experts say the culprits were overseas.  

And we learned that two states’ voter registration databases were breached this summer, also likely by foreign powers? It’s easy to feel like the election results could be driven by external events over which you have no control.

But here’s the good news: You can volunteer to play an active role in ensuring that elections are run safely and fairly. For every election, our system relies on citizens like you to volunteer to work at polling places. Now, more than ever, we need people to step forward and serve their communities by filling this crucial citizen role.

The need for this could not be clearer.  We’re making it easy for you to find out how to volunteer in your community. The link below will take you to the Election Assistance Commission’s interactive map. Simply click on your state and select “Election Day Workers”. That will give you a link to your Secretary of State’s election page from which you can navigate to the specific information about volunteering in your county.

CLICK HERE TO VOLUNTEER TO BE AN ELECTION WORKER IN YOUR COMMUNITY

As you know, we’ve worked closely with state election officials and other experts for years, advocating for the most secure voting systems available.  Now we are promoting the efforts of the Election Assistance Commission, the Department of Homeland Security and other agencies to address the serious concerns that have arisen about the security of our election systems.  

But the heavy lifting of making sure our elections run smoothly on the ground, ON ELECTION DAY depends on citizens like you stepping forward to do the work involved in running a polling place with efficiency, courtesy and integrity.

At Verified Voting, many of our Board, staff and volunteers have served as poll workers and have found it incredibly rewarding to help voters as an integral part of the electoral process.

Please join us in making this commitment to the election systems on which we all rely.

 


Internet Voting Outside the United States

A dozen nations have explored the use of online voting since 2000 and we profile the experience of six countries on this page: Australia, Canada, Estonia, Finland, France and Norway. These examples are often presented as reasons why the United States should be able to deploy Internet voting – “if they are doing it, why aren’t we?” It is worth noting that while some of the countries using the technology believe it has been successfully deployed, this may be due to an abundance of optimism about the challenge of securing such elections. Computer technology lends itself to undetected subversion and where problems have been too obvious to ignore some countries have discontinued piloting or using online voting for the present.

Unsolved problems with internet security make the electronic transmission of voted ballots too vulnerable to attack and too unreliable to be deployed today in our public elections. Beyond the threat of hacking or error, internet voting cannot provide an adequate means of independently verifying vote totals, which will inevitably erode public confidence in the announced results of close or disputed elections. While some promising end-to-end voter verifiable systems are under development, current commercially available technology is untested, proprietary, too vulnerable, and incapable of overcoming these fundamental vulnerabilities.

Australia
Australia has experimented with pilots of Internet voting technologies, most recently in New South Wales in 2011. An assessment of the NSW program noted that there was a significant problem with mis-recorded votes, where votes were recorded as an alphabetic letter rather than as the required digits. Those votes were not counted, and voters were not able to re-vote. Other problems pertained to voter authentication, including a circumstance in which voters using truncated ID numbers (fewer digits than official ID numbers were required to have) were able to log in and vote. Using ID numbers was meant to anonymise the voters, but because the system failed to properly separate ID numbers from votes or voters, the New South Wales Electoral Commission was able to trace the votes to the voters using the incorrect ID numbers, completely contravening the country’s anonymity requirement.

Post-Implementation Review of the iVote Project (Price Waterhouse Coopers, 2015)
The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election (Halderman and Teague, 2015)
Problems with the iVote Internet Voting System (Computing Research and Education Association of Australasia, 2012)
Post Implementation Report (Elections NSW, 2011)
iVote Report (Allen Consulting Group, 2011)

Canada
Canada has been contemplating online voting for several years in Federal, Provincial and Municipal elections. In 2011 the British Columbia Elections Commission produced a paper recommending against online voting (see below), yet some jurisdictions have continued to move forward. Indeed, a primary election in 2012 was disrupted by hackers. Incidentally, days later a non-governmental election in Hong Kong was also attacked. In 2013 Elections Canada, the independent, non-partisan agency responsible for conducting federal elections and referendums in that nation, reported it is holding off on further experimentation with Internet voting until at least after 2015.

Recommendations Report to the Legislative Assembly (Independent Panel on Internet Voting, BC, 2014)
Security Assessment of Vendor Proposals (City of Toronto, 2014)
Web Accessibility (WGAC 2.0) Evaluation (City of Toronto, 2014)
Status Update – Internet Voting Service for PErsons with Disabilities for the 2014 Municipal Election (City of Toronto, 2014)
Internet Voting for Persons with Disabilities – Demonstration Script (City of Toronto, 2013)
RFP for Internet Voting (City of Toronto, 2013)
Scytl Agreement (City of Toronto, 2014)
Scytl Statement of Work – redacted (City of Leamington, 2014)
Scytl Statement of Work – unredacted (City of Leamington, 2014)
Dominion Statement of Work (City of Brockton, 2014)
Internet Voting Discussion Paper (Elections BC, 2011)
Internet Voting Report (Delvinia, 2004)

Estonia
Estonia  began an internet voting program in 2005. In Estonia, where now 24% of voters use the Internet voting system, all citizens have a smart ID card, enabling voter authentication in a way we are unable to duplicate for an online voting system in the US.  (Citizens in the U.S. do not have such a national ID system nor any similar public key infrastructure.) Authenticating the voter is only one challenge, however. The Estonia system was evaluated by The Organization for Security and Cooperation in Europe / Office for Democratic Institutions and Human Rights (OSCE/ODIHR) after their team carried out an observation mission in 2011. They described a number of security problems, including lack of adequate protection of anonymity or privacy of the ballots. A Finnish technologist familiar with the region reports from a 2013 trip there that so far most investigation of their Internet voting system has been done with a low level of technological proficiency.

A petitioner sued to invalidate the electronic results in the 2011 Estonian election, on the basis that it was possible for a virus to block submission of an Internet vote without the voter’s knowledge, and made a successful demonstration of such a vulnerability to the Court. Nonetheless, because there was no other mechanism to evaluate the reported result, the Court found no evidence that the reported result was inaccurate, and rejected the legal challenge. (There are more interesting legal aspects if you are interested!) The Estonian system also fails to provide for use by voters who speak a language other than Estonian.

Security Analysis of the Estonian Internet Voting System (Halderman, Hurst, Kitcat, et al, 2014)
Report on 2011 Estonian Parliament Elections (Office for Democratic Institutions and Human Rights, 2012)

Finland
Finland explored the use of a kiosk-based online voting system, which offers increased protection against coercion, and reduces somewhat the risk of some forms of malware.  The U.S. Election Assistance Commission and a number of computer scientists studying the issue believe that the most likely prospect for online voting with any measure of security would be a kiosk-based system.  However, early experiments with a kiosk-based system have shown scalability issues. More notably for the US, the systems being deployed and used today in the U.S. are not kiosk-based, lacking even the partial mitigations a kiosk system might offer. Due to significant flaws in the system resulting in lost votes, Finland’s Supreme Administrative Court in 2009 annulled results of Finnish 2008 municipal election and called for a re-vote on a paper ballot system.

A Report on the Finnish E-Voting Pilot (Electronic Frontier Finland, 2009)
Report on Finnish E-Voting Pilot (Council of Europe, 2008)

France
France conducted an online primary in 2014, its first, using a system touted as secure, but journalists from the news site Metronews proved that it was easy to breach the allegedly strict security of the election and vote several times using different names, throwing the outcome into doubt.
Norway
Norway has been experimenting with a system developed by a Spanish company, Scytl. (The same company’s system was piloted in the US in 2008 in Okaloosa County, and reviewed here. In that test, a physical copy of the voter’s choices, reviewed by each voter, was produced, in addition to the electronic copy. This enabled an audit of the system, but that feature is nearly always absent with Internet voting systems.) 

A “low-effort review of the source code” of Norway’s system was conducted by experts from the Norwegian Computing Center and the Norwegian University of Science and Technology, finding even at a rudimentary glance “significant problems with coding style, security and correctness.” We do not know if any mitigating improvements have been made to date, but the problems found had the potential for altered outcomes. In June, 2014 the Norwegian Government announced that it would no longer pursue internet voting pilot projects.

Public Review of E-Voting Source Code (Tapir Akademisk Forlag, 2011)

Other Countries
Other European countries have experimented with electronic or Internet voting and have elected to discontinue its use. In Spain, an election for a “referendum in the Spanish city of Barcelona encountered problems in relation to voter identification and identity theft, with a prominent voter finding that someone had already logged on with his authentication details and cast a ballot for him,” as reported in this comprehensive 2012 International Foundation for Electoral Systems (IFES) report about Internet and electronic voting. In August 2014, Arnis Cimdars, chairman of Latvia’s Central Electoral Commission (CVK) said that electronic voting was not secure enough to allow it to be used in Latvian elections, noting According to our experts, it is not possible for us with current technology. We have some mental reservations about this method of voting, too… at the moment it is not possible to ensure the anonymity and security of this method of voting, so I don’t think it will happen very soon.”

 


Internet Voting Resource Document

View Resources and Reports Powerpoint Slides

Research on “Internet voting” includes all schemes which include the electronic transmission of the voted ballot over the Internet, whether or not the tabulation of votes takes place off-line. This is because unsolved security challenges exist with the electronic transmission of voted ballots that can compromise an election. Therefore, researchers generally use the term “Internet voting” to include any voting form in which a voted ballot is transmitted in electronic form over the Internet. This is a summary of relevant existing information on the security issues associated with Internet voting.

The SERVE Report The federal government has been exploring online voting and electronic ballot return for over a decade. In the 2002 National Defense Authorization Act (NDAA), congress directed the Department of Defense (DoD) to develop an Internet voting demonstration project for the military. The Federal Voting Assistance Program (FVAP), an agency administered by the DoD developed the Secure Electronic Registration and Voting Experiment (SERVE) system for deployment in the 2004 election. A team of security researchers reviewed the system at the request of DoD and found it to be vulnerable to online attacks. The deputy secretary of defense cancelled the project claiming the DoD could not ensure the legitimacy of the ballots sent over the Internet.

The SERVE Security report can be found here.

http://www.servesecurityreport.org/paper.pdf

While over ten years old, the findings of the SERVE report are noteworthy because they encapsulated the overarching problem with securing online voting which remains in effect today. The experts wrote:

“The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the FVAP has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough. The SERVE project is thus too far ahead of its time, and should not be reconsidered until there is a much improved security infrastructure to build upon.”

Unfortunately, there has not been a radical change in the overall architecture of the Internet or an unforeseen security breakthrough. Instead the Internet has become less secure with the stealth, sophistication and frequency of cyber attacks outpacing the development of security tools needed to resist them. Moreover, the rise of organized cyber crime syndicates, state-sponsored cyber attacks and hackers for hire on the dark web have made cyber crime more prevalent. The problems identified in 2004 still exist and have been documented and re-documented in numerous other studies.

NIST reports

Following the cancellation of the SERVE project, Congress amended the NDAA in 2005 to direct the U.S. Election Assistance Commission – and by extension the National Institute of Standards and Technology (NIST) to develop security standards for the DoD’s Internet voting demonstration project. In this effort NIST spent several years researching online voting, the security vulnerabilities and the security tools and mitigations available to protect an online voting system from malicious attacks. NIST published several reports that examine all forms of Internet voting, including electronic transmission of voted ballot.

NIST also issued a statement summarizing its research which concluded:

“Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems.   Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots.   And, the United States currently lacks a public  infrastructure for secure electronic voter authentication. Therefore, NIST’s research results indicate that additional research and development is needed to overcome these challenges before secure Internet voting  will be feasible.”

http://www.nist.gov/itl/vote/uocava.cfm

The DC Hack

In 2010, the District of Colombia intended to deploy a system to allow military and overseas voters to vote remotely online using a fillable pdf sent by electronic transmission with encryption. Before deploying the system in a live election, the DC Board of Elections opened up the system to a public trial allowing voters to test the system and inviting white hat hackers to test the system’s security. In less than 36 hours a team of students at the University of Michigan were able to undetectably break into the system. The team had complete control of the Election Board’s server, access to all the information stored on it and were able to silently change all the selections on the ballots to their choices. While they had control, the team noticed the DC online voting system was being probed by attackers from Iran and China. The attack was only discovered by the DC board of elections because the Michigan team left a “calling card,” rigging the system to play the Michigan fight song, “Hail to the Victors,” on voters’ home computers after a ballot was cast.

This was reported in The New York Times in this story, “Voting Test Falls Victim to Hackers.” The technical paper published by the Michigan team can be found here.

https://jhalderm.com/pub/papers/dcvoting-fc12.pdf

Vulnerabilities in the Estonian E-voting system

Estonia is often held as an example by proponents of online voting however, its system has been proven to be untrustworthy. A team of international computer security experts examined the system and found significant security vulnerabilities. The technical paper on their findings and a video summarizing the research can be found here.

https://estoniaevoting.org/

Vulnerabilities in the SCYTL New South Wales, Australia online voting system

Despite warnings by critics against the use of online voting, the New South Wales Electoral Commission deployed an online voting system created by Scytl (the vendor that testified before the NJ Assembly Military and Veterans’ Affairs Committee), for all citizens earlier this year. While the system was running in a live election researchers found that the system was highly vulnerable to at least two well-known types of attacks despite the vendor’s use of SSL encryption technology, a security tool meant to establish an encrypted link between the voter’s computer and the election server. The researchers reported the vulnerabilities to the Australian Computer Emergency Response Team and the system was taken off line while the vulnerabilities were addressed. However, over 60,000 ballots had been cast on the system while it was wide open to attack. Details of this can be found here.

https://freedom-to-tinker.com/blog/teaguehalderman/ivote-vulnerability/

Norway dumps online voting after an encryption error

In 2013 Norway trialed an online voting system from the vendor Scytl but officials discovered that the encryption was not configured properly and thousands of ballots were exposed. The Norwegian government abandoned online voting after this event.

https://www.regjeringen.no/en/topics/elections-and-democracy/e-vote-trial/news-about-the-e-vote-2011-project/year/2013/protection-of-the-internet-votes/id735156/

http://www.bbc.com/news/technology-28055678

Researchers prove pdf ballots can be altered in transit over the Internet

There is a common misperception that ballots can be securely transmitted in the form of a marked pdf by email, digital fax or electronic transmission provided the ballot is printed at the election office and tabulated by a conventional off-line ballot scanning system. This is not true. Ballots transmitted in the form of a pdf can be altered during transit over the Internet by any attacker that targets and compromises any of the routers and servers that the ballot would pass through between the voter and election office. This was proven in a proof-of-concept exercise by the computer security firm Galois. This page provides a layman’s explanation, video and technical paper on this attack.

http://galois.com/blog/2014/11/hacking-Internet-voting-via-ballot-tampering/

The Utah iVote Advisory Committee Report

Utah adopted online return of voted ballots for the military and disabled voters via email, over the objections of computer security and election experts. The Lt. Governor, Spencer Cox, a proponent of online voting, assembled an iVote Advisory committee which included election officials and technologists to explore the possibility of expanding online voting to all voters in the state. The committee released a report on its findings this past summer stating plainly that all of the currently available online voting systems – which includes Utah’s systems currently in use – are not secure. The report warned:

“Given that sufficiently secure Internet voting systems do not yet exist, they would need to be built. Of course, some systems, like a stone bridge to the moon, are impossible to build. Others, like a stone bridge to Hawaii, are so exorbitantly expensive as to remain a fool’s errand. However, other systems, like spacecraft, aircraft, and the newer Sam White Bridge, are much more affordable. Unfortunately, with the four challenges mentioned in the preceding section, the unconstrained nirvana of Internet voting, “from any device, entirely online,” is so impossible, or at least infeasible, as to be a fool’s errand.”

The report can be found here.

http://elections.utah.gov/Media/Default/Documents/Report/iVote%20Report%20Final.pdf

The Heritage Report

The Heritage Foundation has long made improving voting for military voters a top policy priority. Heritage has supported and promoted policies aimed at ensuring all military voters can access and cast a ballot in all elections. Earlier this year, Heritage published a report on the insecurity of online voting, warning against its use in all capacities. The report can be found here.

http://www.heritage.org/research/reports/2015/07/the-dangers-of-internet-voting

The Brennan Center Report

The Brennan Center is a leading research and advocacy organization committed to ensuring all citizens can exercise the right to vote. In early 2016, the Brennan Center released the report

“Election Integrity: A pro-voter agenda” which notes that in recent years states have enacted voting rules that make it harder for many citizens to participate in our elections while not addressing fraud risks as they actually exist. The paper outlines a six-part agenda to target true election fraud risks; one of those six recommendation is for states not to adopt online voting until it can be done securely.

https://www.brennancenter.org/publication/election-integrity-pro-voter-agenda#Introduction

Toronto security studies

The city of Toronto commissioned independent studies of the security and accessibility of three major online voting system vendors, Scytl, Everyone Counts and Dominion. The researchers found all three systems to be insecure and not to meet basic accessibility standards.

https://www.verifiedvoting.org/wp-content/uploads/2014/09/Canada-2014-01543-security-report.pdf

https://www.verifiedvoting.org/wp-content/uploads/2014/09/Canada-2014-01543-accessibility-report.pdf

British Columbia Report

The British Columbia legislature commissioned a report to look at the prospect of implementing Internet voting. The report is available here.

https://www.verifiedvoting.org/wp-content/uploads/2014/10/CA-BC-2014-recommendations-final-report.pdf

U.S. Vote Foundation Future of Voting Report End-to-End Verifiable Internet voting – Specification and Feasibility Study

Earlier this year, the U.S. Vote Foundation (formerly Overseas Vote Foundation) published one of the most comprehensive studies on Internet voting. The two-year long project examined the challenges to secure online voting and looked at technology that could provide end-to-end voter-verifiability of the cast ballot, technology that is presently not available but could mitigate some of the security vulnerabilities that are currently unresolved. The report laid the roadmap for the future of Internet, identifying key security protocols necessary for holding credible public elections over the Internet. The report also warned that none of the currently available online voting systems are secure or trustworthy.

https://www.usvotefoundation.org/E2E-VIV

 


Join Verified Voting


Key Facts for

99.5% of votes will be counted by software

67% of American voters will use voter-marked paper ballots to cast their votes. These ballots will be scanned but are available for a hand count in an audit or recount.1

37% of the voters live where paper ballots are the sole voting method and accessible ballot marking devices serve voters with disabilities.

30% live in areas where paper ballots are the standard voting system and electronic voting machines are deployed for accessibility.

25% of the nation’s registered voters will have to use paperless electronic voting machines on Election Day.2

Learn More at The Verifier

Nationwide Voting Equipment by Registered Voters

Equipment Type  Registered Voters Percentage
DREs with no Voter-Verifiable Paper Record  45,367,003 25.09%
DREs with a Voter-Verifiable Paper Record  14,699,685 8.13%
Voter-marked Paper Ballots/Ballot Scanners and DREs with No Paper Record 19,501,550 10.79%
Voter-marked Paper Ballots/Ballot Scanners and DREs with Paper Record  33,572,723 18.57%
Voter-marked Paper Ballots/Ballot Scanners and/or hand count**  67,592,032 37.38%
Punch Card Voting Systems  69,379 0.04%
Total  180,802,372 100%

For More information Vist our Voting Equipment Resource Page

One half of the states will conduct post election audits

Hand-counted audits of machine tallies are essential to verified elections; without audits, paper ballots or paper records add little security value.

Some planned audits will be weak audits, such as in Florida, where the audit will be conducted after the election is certified, and only one item on a large general election ballot will be chosen randomly in each county.

13 states that now have voter-verifiable paper records for all voting systems will not conduct post-election hand audits.

1 State (New Mexico) will conduct risk-limiting audits. California is planning robust risk-limiting audit pilots next year.

Better Late Than Never
Susan Bucher

Susan Bucher

In the March 13, 2012 municipal election in the village of Wellington in PalmBeach County Florida, two losing candidates were declared winners by the Dominion’s winEDS software, which incorrectly swapped totals among candidates. The problem was discovered during a post-election ballot audit, but the correct results were determined only after a court-sanctioned hand count of the paper ballots. But Florida’s audit’s law only allows such an audit after an election has been certified – once it is too late and  after the wrong candidate had been declared the  winner based on incorrect results.

Palm Beach County Supervisor Susan Bucher, one a several local election officials that are critical of Florida’s audit law, observed “[w]hat we’re finding out, is that there are problems with almost every system in the United States. This issue is leaving some supervisors to shake their heads about the machines their constituents are voting on and how paper ballots in just random races will ever be checked.”

Learn More About Post Election Audits

33 States require a voter verified paper record

A voter verified paper record may be a paper ballot, or it may be a printout that the voter can view before she casts her ballot on a DRE voting machine.

40 states have moved toward requiring voter-verified paper records (VVPR), either through legislation or administrative decision. 6 states will not fully implement their VVPR requirements until some time after the 2012 election3

4 states are now mostly or entirely paperless but have enacted laws to end the use of direct-recording electronic voting machines, or fund their replacement: MD, NJ, TN, and VA.4

Tennessee repealed a required transition to paper ballots in 2011, but current law requires the state to provide counties with funds to replace DREs with optical scan equipment and ballot marking devices for voters with disabilities.

Learn More at our Legislation Page

Disappearing Votes in New Mexico

In November 2004 New Mexico led the nation in undervotes, ballots cast with no vote for any of the Presidential candidates. The undervotes were concentrated on two types of machines, the Danaher Shouptronic 1242 and the Sequoia AVC Advantage, both Push Button Direct Recording Electronic machines. Using these machines, some precincts had undervotes rates of nearly 50% and Santa Fe County overall had an undervote rate of almost 10% – on these machines. While there was resistance from the State’s Canvassing Board to a recount, bu 2006 New Mexico had replaced all their DREs and replaced them with a uniform statewide paper ballot system. Shouptronics and Advantages will be counting votes in eight states this November.5

30 States allow some voters to vote by email or fax

In these States, military and overseas voters to return their ballots by fax, e-mail, or through a Web portal, though security concerns are starting to be heard.

States such as MI, OH, and VA prohibit insecure electronic return of voted ballots. These States instead serve their military and overseas citizens by employing common-sense practices such as electronically transmitting blank ballots to voters. Some states also may extend the deadline for accepting ballots from abroad.

Learn More at our Internet Voting Page

Bender and the DC Internet Voting Hack

Bender Bending Rodríguez

The District of Columbia’s pilot project for Internet voting for overseas and military voters has been scaled back to allow only electronic delivery of blank ballots to voters (though voted ballots may be e-mailed or faxed). In October 2010, DC’s pilot Internet voting system for overseas and military voters was hacked in dramatic fashion by University of Michigan researchers who changed votes on submitted ballots, discovered voters’ personal information – and who observed users in Iran and China attempting to break into the system. They also elected Futurama’s Bender Bending Rodríguez to the school board.


Key Facts for

99.5% of votes will be counted by software

72% of American voters will use voter-marked paper ballots to cast their votes in November 2016. These ballots will be scanned but are available for a hand count in an audit or recount.1

50% of the voters live where paper ballots are the sole voting method and accessible ballot marking devices serve voters with disabilities.

22% live in areas where voter-marked paper ballots are the standard voting system and direct recording electronic voting machines are deployed for accessibility.

22% of the nation’s registered voters will have to use direct recording electronic voting machines on Election Day without a voter-verifiable paper audit trail.2

Learn More at The Verifier

Nationwide Voting Equipment by Registered Voters3

Equipment Type  Registered Voters Percentage
DREs with no Voter-Verifiable Paper Record  38,009,923 21.55%
DREs with a Voter-Verifiable Paper Record  9,191,205 5.21%
Voter-marked Paper Ballots/Ballot Scanners and DREs with No Paper Record 15,656,670 8.88%
Voter-marked Paper Ballots/Ballot Scanners and DREs with Paper Record  25,158,515 14.27%
Voter-marked Paper Ballots/Ballot Scanners and/or hand count**  88,340,676 50.09%
Total  176,356,989 100%

For More information Visit our Voting Equipment Resource Page

One half of the states will conduct post election audits

Hand-counted audits of machine tallies are essential to verified elections; without audits, paper ballots or paper records add little security value.

Some planned audits will be weak audits, such as in Florida, where the audit will be conducted after the election is certified, and only one item on a large general election ballot will be chosen randomly in each county.

13 states that now have voter-verifiable paper records for all voting systems will not conduct post-election hand audits.

2 State (California New Mexico) will conduct risk-limiting audits.

Better Late Than Never
Susan Bucher

Susan Bucher

In the March 13, 2012 municipal election in the village of Wellington in PalmBeach County Florida, two losing candidates were declared winners by the Dominion’s winEDS software, which incorrectly swapped totals among candidates. The problem was discovered during a post-election ballot audit, but the correct results were determined only after a court-sanctioned hand count of the paper ballots. But Florida’s audit’s law only allows such an audit after an election has been certified – once it is too late and  after the wrong candidate had been declared the  winner based on incorrect results.

Palm Beach County Supervisor Susan Bucher, one a several local election officials that are critical of Florida’s audit law, observed “[w]hat we’re finding out, is that there are problems with almost every system in the United States. This issue is leaving some supervisors to shake their heads about the machines their constituents are voting on and how paper ballots in just random races will ever be checked.”

Learn More About Post Election Audits

33 States require a voter verified paper record

A voter verified paper record may be a paper ballot, or it may be a printout that the voter can view before she casts her ballot on a DRE voting machine.

40 states have moved toward requiring voter-verified paper records (VVPR), either through legislation or administrative decision. 4 states will not fully implement their VVPR requirements until some time after the 2016 election4

3 states are now mostly or entirely paperless but have enacted laws to end the use of direct-recording electronic voting machines, or fund their replacement: MD, NJ, TN, and VA.5

Tennessee repealed a required transition to paper ballots in 2011, but current law requires the state to provide counties with funds to replace DREs with optical scan equipment and ballot marking devices for voters with disabilities.

Learn More at our Legislation Page

Disappearing Votes in New Mexico

In November 2004 New Mexico led the nation in undervotes, ballots cast with no vote for any of the Presidential candidates. The undervotes were concentrated on two types of machines, the Danaher Shouptronic 1242 and the Sequoia AVC Advantage, both Push Button Direct Recording Electronic machines. Using these machines, some precincts had undervotes rates of nearly 50% and Santa Fe County overall had an undervote rate of almost 10% – on these machines. While there was resistance from the State’s Canvassing Board to a recount, bu 2006 New Mexico had replaced all their DREs and replaced them with a uniform statewide paper ballot system. Shouptronics and Advantages will be counting votes in eight states this November.6

30 States allow some voters to vote by email or fax

2 States (Alaska and Arizona) allow some voters to return voted ballots through a web portal in addition to email and fax.

22 States plus the District of Columbia allow some voters to return voted ballots by fax or email attachment.

7 States allow some voters to return voted ballots by fax.

19 States prohibit insecure electronic return of voted ballots. These States instead serve their military and overseas citizens by employing common-sense practices such as electronically transmitting blank ballots to voters. Some states also may extend the deadline for accepting ballots from abroad.

Learn More at our Internet Voting Page

Bender and the DC Internet Voting Hack

Bender Bending Rodríguez

The District of Columbia’s pilot project for Internet voting for overseas and military voters has been scaled back to allow only electronic delivery of blank ballots to voters (though voted ballots may be e-mailed or faxed). In October 2010, DC’s pilot Internet voting system for overseas and military voters was hacked in dramatic fashion by University of Michigan researchers who changed votes on submitted ballots, discovered voters’ personal information – and who observed users in Iran and China attempting to break into the system. They also elected Futurama’s Bender Bending Rodríguez to the school board.


KNOWiNK Poll Pad

poll-pad-600x400

The KNOWiNK Poll Pad runs on the Apple iPad. The capability of the iPad allows Poll Pad to produce sophisticated real time reporting metrics on voters, poll workers, and results.There is even a function which will wipe sensitive information and format results for media outlets reporting on elections. Moreover, because of the ubiquity of the iPad, there is less of a learning curve or “intimidation factor” that may attend other types of hardware.The Poll Pad boasts an extremely secure operating system in iOS which received the strongest rating from the federal government. The downside is that the iOS requires frequent updating and can run into issues of backwards-compatibility. The Poll Pad was used in Crow Wing County for the 2014 election.1

Fox 2 KTVI St. Louis Story on the Poll Pad:

Poll Pad Training Manual from St. Charles County MO:


Letter to Virginia State Board of Elections

September 8, 2017

To the Virginia Board of Elections:

Verified Voting is a national, non-partisan, not-for-profit organization dedicated to securing democracy in the digital age. We were founded in 2004 by computer scientists as computers became more widely used in the election process. Virginia Verified Voting is a grassroots group of Virginia citizens which has actively worked to encourage the secure application of technology in Virginia elections for over a decade. We write to you today to commend the Department of Elections for its actions and strongly support the recommendation to decertify all Direct Record Electronic (DRE) voting machines in the Commonwealth.

There have countless studies and security reviews over the years which have found the DREs in use in Virginia to have multiple insecurities making them vulnerable to manipulation and tampering.[1][2][3][4][5][6][7] The universally accepted evidence that DREs are insecure and untrustworthy drove the legislature to pass a measure to eliminate them by 2020.

Perhaps the most notable voting system security review is the comprehensive California Secretary of State’s seminal 2007 Voting System Top-to-Bottom Review which found severe security flaws in the Diebold TSx, the Hart InterCivic eSlate, and the Sequoia Edge,[8] all machines that are currently used in Virginia. The findings compelled the California Secretary of State to promptly de-certify those very same machines that Virginia is using today.[9]

California was not alone. Ohio conducted a similar study in 2007, the Evaluation and Validation of Election Related Equipment, Standards and Testing (EVEREST). EVEREST evaluated DREs, ES&S iVotronic, Hart InterCivic and Diebold TSx. The alarming security flaws led Ohio to also discontinue use of paperless DREs and switch to voter-marked paper ballots and optical scan voting machines statewide.[10]

Optical scan voting systems in which a voter records her vote on a paper ballot provide resilience to cyber attack and auditability of the election process that a DRE cannot. The paper ballot provides a permanent, physical record of voter intent that cannot be altered by a cyber attack and this can be used in a post-election audit to confirm the election tally is correct. In 2011 the U.S. Election Assistance Commission directed the National Institute of Standards and Technology (NIST) to provide guidance on how to audit a DRE voting system to confirm the vote tallies are correct or to catch any potential error or tampering.  NIST convened an Auditability Working Group to study the question. The NIST Auditability Working Group found that any system that does not provide a voter-verified paper record of voter intent will be susceptible to undetectable errors in the vote count.[11] Put simply, it is impossible to know for sure that the vote tally from DRE voting machines is correct.

The studies cited above have mostly been conducted over a decade ago, when the cyber threat to elections was more theoretical than actual, however, those days are over. We are in a new paradigm; in the last year the U.S. Intelligence Community has warned us that foreign adversaries have been probing our election infrastructure, looking for weaknesses.[12] In a March hearing before the U.S. House Intelligence Committee, the former director of the FBI testified ominously that “[t]hey’ll be back.”[13] We must face the chilling reality that our foreign adversaries have the will, intention and ability to tamper with our election infrastructure, potentially delegitimizing our elections and destabilizing our government. This a national security issue. We must do everything we can to protect our election infrastructure from cyber terrorism. The Board has the opportunity to act now, to safeguard Virginia’s elections and remove the insecure, untrustworthy DREs in use in the Commonwealth, replacing them with voter-marked paper ballots.

We strenuously support the Department of Election recommendations and urge the Board to immediately de-certify the DREs in use in Virginia.

If you have any questions please don’t hesitate to contact us. We stand ready to assist you in any way. Thank you for your consideration.

Sincerely,

Barbara Simons                         Alex Blakemore
President                                    President
Verified Voting                             Virginia Verified Voting

_______________________________________________________

[1] A. Kiayias, L. Michel, A. Russell, and A. A. Shvartsman. Integrity Vulnerabilities in the Diebold TSX Voting Terminal. UConn Voting Technology Research (VoTeR) Center, July 16, 2007

[2] Press Release. “Secretary of the Commonwealth Decertifies Unilect Patriot Voting System in Pennsylvania,” Pennsylvania Department of State, April 7, 2005

[3] Appel, Andrew, “Report on the Sequoia AVC Advantage,” October 17, 2008, Center for Information Technology and Policy, Princeton University

[4] Hackett, Robert, “Watch This Security Researcher Hack a Voting Machine,” November 4, 2016, Fortune

[5] Butler, Enck, Hursti, McLaughlin, Traynor, McDaniel, “Systemic issues in the Hart InterCivic and Premier Voting Systems,”

[6] Ryan Gardner, Alec Yasinsac, Matt Bishop, Tadayoshi Kohno, Zachary Hartley, John Kerski, David Gainey, Ryan Walega, Evan Hollander, and Michael Gerke. Software Review and Security Analysis of the Diebold Voting Machine Software. Security and Assurance in Information Technology (SAIT) Laboratory, Florida State University, For the Florida Department of State, July 27, 2007

[7] Yasinsac, Alec, et al. “Software Review and Security Analysis of the ES&S Ivotronic 8.0.1.2 Voting Machine Firmware,” Oct. 17, 2008, USENIX

[8] http://www.sos.ca.gov/elections/voting-systems/oversight/top-bottom-review/

[9] Ibid.

[10] https://votingmachines.procon.org/sourcefiles/Everest.pdf

[11] Report of the Auditability Working Group, Jan. 14, 2011, U.S. Election Assistance Commission

[12] Isikoff, Michael, “FBI says foreign hackers penetrated state election systems,” Yahoo News,  Aug. 29, 2016

[13] Washington Post Staff, “Full Transcript: FBI Director James Comey testifies on Russian interference in 2016 election,” March 20, 2017


new verifier

How will my vote be counted?
The Verifier


Newest Maps


NIST Security Recommendations

Voting systems connected to the Internet will be exposed to online attacks.

It is commonly accepted that voting systems should not be connected to the Internet. However, we should first consider what constitutes an Internet connection that could potentially expose vote data to an online attack.

There may be a perception that a vote counting or tabulating system must be continually connected to the Internet to expose it to online actor, or that the system must be connected to the Internet at the time the votes are being tabulated for the attack to be successful. It may be expected that a computer hosting an EMS can be kept offline but networked to the local county network safely. However, if any devices on the local county network are connected to the Internet, this creates an exploitable Internet connection that could compromise the security of the EMS. It may also be expected that a voting system component which does not operate on the Internet – like the EMS – can operate safely offline while the same server hosts other programs and systems which do operate on the Internet. Finally, it is important to note that many computers which host the EMS are laptops which have wireless internet capacity installed which could make them vulnerable to online attacks. All of these situations create an Internet connection which could be exploited to compromise vote data.

If the EMS is exposed the Internet, it can be targeted and infected with malware intended to corrupt vote data. This malware can then be transferred the memory cards configured by the EMS for use in the individual voting machines and optical scanners.

Election officials are encouraged to take the following steps to ensure their voting systems are isolated from the Internet.

  1. Map the network: Except for the simplest networks it makes sense to use a commercial network mapping tool to map all of the routers, links, hosts and other devices on the network. The point is to determine whether any of the devices on the network to be isolated has a path (wired or wireless) to an Internet-facing router. (We should develop simple instructions on mapping a network.)
  2. Physically disconnect from the Internet: If a device or host on the network to be isolated does have a path to an Internet-facing router, then physically disconnect it. Do not rely on software disconnection.
  3. Prefer wired over wireless networking: Wireless networks (WiFi and even Bluetooth) should be avoided on networks that are supposed to be isolated. Although they have nominal communications radii of only 300 and 30 feet respectively, devices with special antennas can listen to and interact with WiFi and Bluetooth over much longer distances, which can allow them to be attacked remotely.

The following steps can then be taken to ensure the data is securely backed up.

  1. Transfer data in and out of the isolated network using only clean media: No device that has ever been connected to the Internet should be connected to the isolated network. This means no personally-owned laptops or mobile devices should be connected. Use write-once media (like a DVD) or other clean media that have never used in a platform connected to the Internet (e.g. a thumb drive never used with any Internet-connected device). If virgin or clean media is not possible, at least use re-initialized media. (We should develop instructions on re-initializing media.)
  2. Revise procedures so that they do not depend on services unavailable on isolated networks: It goes without saying that there can be no email, or web access, or message service, or teleconferencing service, or VPN service, or network time service, on a network isolated from the Internet. But it is important to recognize that even software updates cannot be done by direct downloading from online sources to an isolated network, and neither can file transfers. Updated software and database updates should be physically carried to and from the isolated network on write-once media. A thumb drive is not a good choice because it would have to first be written on an Internet-connected device and then read by a device on the isolated network, which is unsafe.
  3. Voting networks should not be connected to Internet facing systems, online ballot marking systems, etc. If the state received ballots over the Internet, via email, fax or an online ballot transmission system this should be quarantined and isolated from the voting system network.

Voting systems on an intranet may be vulnerable to Stuxnet-style attacks

  1. Do not use USB drives to transfer data to or from voting equipment of any kind. As the Stuxnet attack showed, USB drives can be a vector for transmitting software viruses.
  2. Vote casting equipment (such as DREs) used by the public shall not have ports exposed (including wireless connections) other than those limited to activation for a voter to cast a ballot.
  3. Numbered tamper evident seals shall be affixed to each piece equipment placed in the field, with procedures to verify these seals (by number when appropriate) are intact. When equipment completes its use for the day (e.g., upon closing on Election Day or at the end of each early voting day), new numbered tamper evident seals shall be affixed to the equipment with logging of the number of those seals and a signature of the people affixing the seals. That includes vote casting and tabulation equipment as well as electronic poll books.
  4. Update software only from write-once media, such as CDs and DVDs, that is retained for future inspection. That includes voting system software, and operating system software. Do not update systems in advance by connecting them to the Internet, even if they are disconnected from the Internet during normal operation. Ensure when loading voting system software that it has been obtained from the authorized source and that it has received the appropriate certifications required.
  5. Train personnel in the chain-of-custody requirements as well as the proper inspection and use of the tamper evident seals. Clearly distinguish tamper evident seals that are intended to be removed by poll workers and replaced later from those that should remain during the entire voting process.
  6. Ensure that all equipment has tamper evident seals that prevent any changes to programming or set up information (e.g., ballot definition files).
  7. Give a pre-printed list of all equipment at a polling place along with the numbers of all of the tamper evident seals as part of the materials to the chief election official for that polling place.
  8. Retain the temper evident seals that are removed for opening the polls and retain them to election headquarters at the close of polls on Election Day or other earlier appropriate times
  9. If the voting system requires the re-use of flash media, the media should be re-initialized from a clean device before use. (We should develop instructions for re-initializing media.
  10. Voting machines can get ballot images downloaded from devices that are configured at county headquarters on machines that may be connected to online VRDs and not properly airgapped. If the computer that has configured the memory cards was exposed to an online attack and infected with malware designed to impact votes, it can then spread through the memory cards to the individual machines.

Security procedures for States that receive ballots over the Internet.

One of the most common methods of infecting a computer with malware is to infect an attachment with malware that is transferred when the receiver clicks on the attachment. For states receiving ballots by email or digital fax, their computer system will be highly vulnerable to malware infection. States are urged to take the following precautions.

  1. Voters should be encouraged to vote by postal mail as much as possible. Military overseas voters should be informed of free, expedited postal mail return options. Voters should be warned that ballots returned electronically may be subject to hacking and may not be counted as cast.
  2. For states which allow ballots to be returned by email or digital fax, election officials should quarantine the computer used to accept emailed ballots and ensure it is not connected or networked to the voting system network or the EMS through Ethernet or wireless means.
  3. For states which permit ballots to be returned electronically, scan all incoming email and digital faxes for malware; the mail program should be configured to verify that attachments are of the expected type and fall into the expected size range. [1]*
  4. Ensure ballots returned by email are printed for counting, not electronically transmitted to the EMS for counting
  5. Election offices should transfer ballot files to the online ballot marking system via brand new or securely wiped and reformatted portable media such as a flash drive or disk. Do not connect the ballot marking system to the Election Management System.
  6. For a voter using online ballot marking systems, election officials are encouraged to hand count these ballots, avoiding the need to remake these ballots.
  7. If the 2D barcode is used, implement a process for careful checking of the remade ballot’s printed choices against the original voter-marked choices to ensure all the voter’s selections were captured correctly
  1. If election officials must re-make ballots, do so directly from the voters’ choices marked on the ballot rather than electronically remaking the ballot from a barcode. (If remaking the ballot, the original should be retained and used to audit remade ballots for accuracy, and used in case of recounts.)

How can we leverage audit trails and logs to detect possible errors or fraud?

  1. Maintain a clear chain-of-custody for all paper ballots and electronic media containing individual or aggregated ballots, with record-keeping that documents transfer along the chain-of-custody. Two people should accompany transfers of ballots and media.
  2. Maintain appropriate records to ensure that each batch of ballots is included in the aggregation exactly once.
  3. For early voting and early tabulation, maintain controls to ensure no release of voter selections occurs prior to the close of the polls on Election Day and that the equipment and the cast vote records and tabulations are not tampered.
  4. Report election results incrementally on election night at as low a level of detail (such as by precinct) as feasible from an election reporting system connected to the Internet. Consider using the Election Results Reporting NIST standard. Retain these incremental reports in persistent form. For example, a CD or DVD of the accumulated results can be burned (and retained) each time a CD or DVD is loaded from the internal ballot tabulation or aggregation system.
  5. Help jurisdictions find ways to evaluate quality of audits and surveillance
  6. Encourage precinct-level reporting to enhance transparency
  7. Encourage audits of all paper based systems
  8. Focus attention on voting system audit logs: look for anomalies, report and investigate any ASAP.
  9. Develop recommendations for recounts and procedures.
  10. Election officials should do everything they can to encourage citizen participation in this part of the canvassing process.

How do we protect the security and integrity of online voter registration systems?

  1. Send postal notifications to old and new address when registrations are changed, especially when it is done online.
  2. Provide paper voter-lists in the precincts, as backup to the electronic pollbook system; credentialed party representatives and citizens may be permitted to inspect/audit these in advance. When provisional ballots are used, officials must systematically check the provisional ballot envelopes and tally the field that tells the reason why the voter was not issued a regular ballot.
  3. Deploy mechanisms such as commercially available intrusion detection and antivirus systems to reduce the risk of cyberattacks or insider misuse.
  4. Minimize the use of VRD systems for other purposes, and minimizing the amount of non-VRD-related software installed on it.
  5. Limit the number of access points to the VRD with access to particularly sensitive information such as complete or last-four digits of Social Security numbers.
  6. Obtain independent security review of the VRD system before deployment and periodically thereafter through penetration testing.
  7. Track and logging all changes to VRD data and systems.
  8. Establish access control policies that:
  9. VRDs should use access control mechanisms provided in the database management systems provided; trying to implement access control entirely at the application level leaves greater opportunity for security mechanisms to be bypassed or compromised.
  10. VRDs should create public logs of all changes to the list of authorized users and their access rights, and any changes to either of these should require authorization from two different persons.
  11. Authorized users of the system should receive security training, including how to protect passwords and how to resist social engineering attacks (attempts to deceive someone into performing certain actions), and the importance of never sharing passwords.
  12. Retain older versions of access control policies, along with their dates of applicability, and consider making those available to the public to increase the transparency of the system.

Administrative Privileges and Emergencies

  1. The number of people with administrative privileges for the VRD should be limited; very few users should have the ability to grant access to others.
  2. People with administrative access should not be allowed to grant themselves new access privileges unilaterally; rather, such a change should require the consent of another administrator.
  3. Officials should create rules that allow trusted election officials to increase temporarily the privileges available to others during emergencies in a controlled and fully audited manner.
  4. Emergency overrides should require two-person authorization and generation of detailed audit logs.

Security Metrics

  1. Those responsible for managing VRDs should measure how effectively they have limited VRD users’ privileges by determining how many people have access to how much data and by tracking effectiveness over time using these metrics.

Protecting Against Attack

  1. Secure all communication channels used by the system. Anything transmitted over open communication networks, such as any wireless connection, the Internet, or the phone system, should be protected using end-to-end cryptography.
  2. Use firewalls to severely limit connectivity between internal and external networks.
  3. Deploy detection mechanisms to detect any penetration of system defenses or any insider misuse.
  4. Obtain independent security reviews of the VRD before system deployment and periodically thereafter. Establish a notification policy for notifying individuals if an unauthorized person may have obtained their data.

Dealing with Security Failure

  1. A recovery plan should be in place to insure resilience from security failures; this plan should include steps like retaining historical copies as well as the latest, regular backups with offsite storage, etc.

Internet-based e-pollbook or voter check-in systems have the effect of exposing this critical data to attack, as well as the Internet-connected endpoint that receives voter check-in info, and every one of the devices as well.

placeholder

How do we communicate to the public about security features in place to support voter confidence in the election process?

placeholder

Relevant Resources

Contingency Planning


[1] National Institute of Standards and Technology NISTIR 7711 “Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters,” September 2011 “Incoming SMTP connections from the Internet should be routed through the mail gateway. The mail gateway should scan message content and filter or quarantine suspicious messages prior to delivering them to the internal mail server. If possible, this gateway should be configured to verify that attachments are of the expected type and fall into the expected size range, in addition to checking for malware.”

* Important: scanning may find attachments for executable malware programs, but may be unable to detect malware inside a PDF file, which are much more complex and generally cannot be found by scanning


Prime III

one4all

Prime III, or the Premier Third Generation Voting System, is an open source voting system developed by Dr. Juan Gilbert of the Human-Centered Computer Lab at the University of Florida. After trials in Oregon, Wisconsin and Florida, it was used statewide in 2016 in New Hampshire, the first state to certify use of the machine. New Hampshire’s configuration of Prime III is called one4all. The one4all system is composed entirely of commercial off-the-shelf software and a free open source software system. The one4all system consists of a Dell Venue 11 Pro 7000 series tablet with an integrated docking station,  an EZ Eyes Model HPO-J1305 large print keyboard, a Jabra headset with microphone and a Brother HL-L2320D laser printer.

After piloting Prime III in selected wards in the 2014 primary election, the New Hampshire Department of State modified the software to accommodate the requirements of the state’s election code and debuted the system in the Presidential primary on February 9, 2016. Prime III can also be used through Gilbert’s other voting systems: Balloting and Televoting. The Balloting system enables voters to fill out their ballots online or through their phone. Once the ballot is completed, the voter will get a QR code that can be scanned at a Prime III-enabled voting machine to speed up the voting process.Televoting allows military and overseas voters to fill out their ballots through Prime III online and have it printed back at their home precinct.1

 A Voting Demo of the one4all system:

 

 


Projects


Computer Technologists' Statement on Internet Voting

Because of the increasing frequency of proposals to allow remote voting over the internet, we believe it is necessary to warn policymakers and the public that secure internet voting is a very hard technical problem, and that we should proceed with internet voting schemes only after thorough consideration of the technical and non-technical issues in doing so. Please read our statement, and, if you are a “computer expert”, consider endorsing it.

Download the statement in PDF form

Computer Technologists’ Statement on Internet Voting

Election results must be verifiably accurate — that is, auditable with a permanent, voter-verified record that is independent of hardware or software. Several serious, potentially insurmountable, technical challenges must be met if elections conducted by transmitting votes over the internet are to be verifiable. There are also many less technical questions about internet voting, including whether voters have equal access to internet technology and whether ballot secrecy can be adequately preserved.

Internet voting should only be adopted after these technical challenges have been overcome, and after extensive and fully informed public discussion of the technical and non-technical issues has established that the people of the U.S. are comfortable embracing this radically new form of voting.

A partial list of technical challenges includes:

• The voting system as a whole must be verifiably accurate in spite of the fact that client systems can never be guaranteed to be free of malicious logic. Malicious software, firmware, or hardware could change, fabricate, or delete votes, deceive the user in myriad ways including modifying the ballot presentation, leak information about votes to enable voter coercion, prevent or discourage voting, or perform online electioneering. Existing methods to “lock-down” systems have often been flawed; even if perfect, there is no guaranteed method for preventing or detecting attacks by insiders such as the designers of the system.

• There must be a satisfactory way to prevent large-scale or selective disruption of vote transmission over the internet. Threats include “denial of service” attacks from networks of compromised computers (called “botnets”), causing messages to be mis-routed, and many other kinds of attacks, some of which are still being discovered. Such attacks could disrupt an entire election or selectively disenfranchise a segment of the voting population.

• There must be strong mechanisms to prevent undetected changes to votes, not only by outsiders but also by insiders such as equipment manufacturers, technicians, system administrators, and election officials who have legitimate access to election software and/or data.

• There must be reliable, unforgeable, unchangeable voter-verified records of votes that are at least as effective for auditing as paper ballots, without compromising ballot secrecy. Achieving such auditability with a secret ballot transmitted over the internet but without paper is an unsolved problem.

• The entire system must be reliable and verifiable even though internet-based attacks can be mounted by anyone, anywhere in the world. Potential attackers could include individual hackers, political parties, international criminal organizations, hostile foreign governments, or even terrorists. The current internet architecture makes such attacks difficult or impossible to trace back to their sources.

Given this list of problems, there is ample reason to be skeptical of internet voting proposals. Therefore, the principles of operation of any internet voting scheme should be publicly disclosed in sufficient detail so that anyone with the necessary qualifications and skills can verify that election results from that system can reasonably be trusted. Before these conditions are met, “pilot studies” of internet voting in government elections should be avoided, because the apparent “success” of such a study absolutely cannot show the absence of problems that, by their nature, may go undetected. Furthermore, potential attackers may choose only to attack full-scale elections, not pilot projects.

The internet has the potential to transform democracy in many ways, but permitting it to be used for public elections without assurance that the results are verifiably accurate is an extraordinary and unnecessary risk to democracy.

Questions and Answers on the Computer Technologists’ Statement on Internet Voting

We hope these questions and answers clarify the intention of the statement.

Q: Who is behind this statement?

A: The primary author is David Dill, Professor of Computer Science at Stanford, with extensive input and editing from a number of others. This is also the position of VerifiedVoting.org on internet voting, and VerifiedVoting.org will help to publicize it.

Q: Why this statement at this time?

A: Serious proposals to use internet voting keep coming up. There have been several internet primaries in the last few years, including a primary conducted by Democrats Abroad in 2008. Furthermore, internet voting schemes are being promoted for the general election in 2008, including a proposal by Okaloosa County, Florida, and the State of Alabama.

In many cases, these schemes have been deployed without due consideration of the technical challenges, based on unsupported assertions by vendors that the systems are “secure”. Independent experts need to speak out.

Q: Is this an anti-internet voting statement?

A: No. Some of the people who have endorsed it are working on internet voting methods. The statement is intended to be a warning: internet voting is not as easy to do safely as some people seem to think. Before we move to it, we need an informed public debate so the people know what they’re getting into.

Q: The statement asks that the “principles of operation” of the system need to be disclosed. What does that mean? Does it require open source?

A: We’re going by analogy with low-tech voting systems. For example, to understand why a fully manual paper ballot voting system can be trusted, people have to know how the ballots are handled, how polling places are run, etc. For example, if there are multiple poll workers present in each polling place at all times, it’s harder for someone to “stuff” the ballot box. If hand counts are conducted in public view, it’s less likely that the counts are erroneous.

We don’t need to know everything about a system to know whether it is trustworthy. For example, most people would not feel that they need to know how computerized typesetting works before they marked a paper ballot. In fact, if you have to know a lot of complex details to understand whether a system can be trusted, that system probably can’t be trusted.

The statement asks that the things we need to know to trust a proposed internet voting scheme be revealed. This is a problem because many schemes are being proposed where the details of operation are secret.

Some of us think “open source”, or, more precisely, public disclosure of source code is a good idea. However, source code disclosure is neither necessary nor sufficient for trustworthy voting. Even when source code has been carefully inspected, it is very easy to overlook program bugs or malicious behavior in the system. It is also very difficult to make sure that the program running on a particular voting system matches the source code that was reviewed (vs. “acting the same” for certain test cases). Finally, errors and malicious changes can exist in parts of the system that are not in the source code, including low-level firmware and the hardware itself.

In a nutshell, if the security of a system depends on source code review, the system is not secure.

Q: Are you implying vendors or election officials are dishonest?

A: No, not any more than wanting bank statements implies that my bank is dishonest. Almost all trust in modern society is based on checks and balances (e.g., auditing requirements). Without the accountability that follows from checks and balances, systems become inaccurate and often dishonest. Classical election procedures are based on checks and balances, with the knowledge that elections are important and that unscrupulous people may seek to commit fraud. The same principles need to be maintained in new election systems.

Q: As someone without a strong technical background, why should I have to rely on a bunch of computer scientists to tell me whether I can trust my elections?

A: Maybe you shouldn’t (however, the statement at least insists that there should be enough disclosure so that a technical person you trust can review the scheme and tell you what he or she thinks about it). If you have non-technical concerns about internet voting, this would be a good time to speak up. As the statement notes, we are NOT saying that the decision whether to use internet voting is a purely technical decision — just that it needs to be a technically INFORMED decision. The technical challenges of internet voting are currently being minimized, often by people who simply don’t understand them.

We’re calling for an in-depth, public debate on the technical and NON-TECHNICAL issues in internet voting before adopting it. It’s very possible that a technically sound internet voting scheme could be rejected for non-technical reasons, including other issues such as whether internet voting might disenfranchise legal voters who cannot easily access the internet.

Q: Isn’t this statement at odds with the position of some of the people involved that only “voter verified paper ballots” should be used in elections?

A: The statement is a floor, not a ceiling. Endorsing it is definitely NOT an endorsement of internet voting or voting that uses electronic ballots. It says that internet voting should NOT be deployed unless certain minimum conditions — with which we believe most technologists would agree — are met. It does not imply the internet voting or electronic ballots can be used safely, or ever should be used.

Q: Why doesn’t the statement demand (my favorite requirement)?

A: The statement is focused on the technical problems of internet voting, and sets out minimal conditions that represent a consensus of those endorsing it. The decision about whether or not internet voting should be used depends on many issues, including whether it has (your favorite requirement).

The main goal of the statement is to prevent deployment of internet voting without due consideration of the risks. It also calls for the ability of the general public to participate in the decision of whether or not to use internet voting — including you, should you choose to argue for (your favorite requirement).

Endorsements

The computer technology experts below endorse this statement. Affiliations are for identification only, and
do not imply that employers have a position on the statement.

Alex Aiken
Professor of Computer Science, Stanford University
http://cs.stanford.edu/~aiken

Andrew W. Appel
Professor of Computer Science, Princeton University
http://www.cs.princeton.edu/~appel/

Ben Bederson
Associate Professor, Computer Science Department, University of Maryland
http://www.cs.umd.edu/~bederson

L. Jean Camp
Associate Professor, School of Informatics, Indiana University
http://www.ljean.com/

David L. Dill
Professor of Computer Science, Stanford University and Founder of VerifiedVoting.org
http://verify.stanford.edu/dill

Jeremy Epstein
Software AG and Co-Founder, Verifiable Voting Coalition of Virginia
http://www.visualcv.com/jepstein

David J. Farber
Distinguished Career Professor of Computer Science and Public Policy Carnegie Mellon University
http://www.epp.cmu.edu/httpdocs/people/bios/farber.html

Edward W. Felten
Professor of Computer Science and Public Affairs, Princeton University
http://www.cs.princeton.edu/~felten

Michael J. Fischer
Professor of Computer Science, Yale University, and President, TrueVoteCT.org
http://www.cs.yale.edu/people/fischer.html

Don Gotterbarn
Director, Software Engineering Ethics Research Institute, Computer and Information Sciences, East Tennessee State University
http://csciwww.etsu.edu/gotterbarn

J. Alex Halderman
Assistant Professor, Computer Science and Engineering, University of Michigan

Joseph Lorenzo Hall
UC Berkeley School of Information
http://josephhall.org/

Harry Hochheiser
Assistant Professor, Computer and Information Sciences, Towson University
http://triton.towson.edu/~hhochhei

Jim Horning
Chief Scientist, SPARTA, Inc., Information Systems Security Operation
http://www.horning.net/pro-home.html

David Jefferson
Lawrence Livermore National Laboratory
http://people.llnl.gov/jefferson6

Bo Lipari
Retired Software Engineer, Executive Director New Yorkers for Verified Voting
http://www.nyvv.org/bolipari.shtml

Douglas W. Jones
Professor of Computer Science, University of Iowa
http://www.cs.uiowa.edu/~jones/vita.html

Robert Kibrick
Director of Scientific Computing, University of California Observatories / Lick Observatory
http://www.ucolick.org/~kibrick

Joe Kiniry
Principal Investigator, Galois
https://galois.com/team/joe-kiniry/
Principled CEO and Chief Scientist, Free & Fair
http://freeandfair.us/

Scott Klemmer
Assistant Professor of Computer Science, Stanford University
http://hci.stanford.edu/srk/bio.html

Vincent J. Lipsio
http://www.lipsio.com/~vince/resume.pdf

Peter Neumann
Principal Scientist, SRI International
http://www.csl.sri.com/users/neumann

Ronald L. Rivest
Professor of Electrical Engineering and Computer Science, MIT (Department of Electrical Engineering and Computer Science)
http://people.csail.mit.edu/rivest/

Eric S. Roberts
Professor of Computer Science, Stanford University
http://cs.stanford.edu/~eroberts/bio.html

Avi Rubin
Professor, Computer Science, Johns Hopkins University
http://avi-rubin.blogspot.com/

Bruce Schneier
Chief Security Technology Officer, BT Global Services
http://www.schneier.com/

Yoav Shoham
Professor of Computer Science, Stanford University
http://cs.stanford.edu/~shoham

Barbara Simons
IBM Research (retired)
http://www.verifiedvoting.org/article.php?id=2074

Eugene H. Spafford
Professor and Executive Director of CERIAS, Purdue University
http://spaf.cerias.purdue.edu/narrate.html

Poorvi L. Vora
Associate Professor of Computer Science at The George Washington University

Michael Walfish
Assistant Professor of Computer Science, University of Texas, Austin
http://nms.csail.mit.edu/~mwalfish

Dan S. Wallach
Associate Professor, Department of Computer Science, Rice University
http://www.cs.rice.edu/~dwallach/

Luther Weeks
Retired Software Engineer and Computer Scientist
http://www.ctvoterscount.org/?page_id=2

Michael W. Whalen
Director, University of Minnesota Software Engineering Center
http://www.cs.umn.edu/~whalen

Jennifer Widom
Professor of Computer Science, Stanford University
http://infolab.stanford.edu/~widom/

David S. Wise
Computer Science Dept., Indiana University
http://www.cs.indiana.edu/~dswise/

We want to gather endorsements for this statement from individuals with the technical background to speak with authority on this subject. If you are a such an individual and wish to endorse this statement, please send email to “info (at) verifiedvoting.org” including your name, your position (or title or affiliation), and (optionally) a URL of a brief bio or other material that someone can use to find out who you are. e.g., David L. Dill Professor of Computer Science, Stanford University http://verify.stanford.edu/dill.



Counting Votes 2012: A State by State Look at Election Preparedness

In July, 2012, the Verified Voting Foundation, together with Common Cause and the Rutgers School of Law released a report that surveyed election preparedness for the 2012 General Election.

Summary of Our Joint Report

On Election Day, Nov. 6, the stakes will be high. A number of critical races will be very close, and some might be decided by very few votes. At the same time, it is highly likely that voting systems will fail in multiple places across the country.1 In fact, in every national election in the past decade, computerized voting systems have failed – machines haven’t started, machines have failed in the middle of voting,2 memory cards couldn’t be read be read,3 votes were mis-tallied4 or lost.5

Our elections are so complex, with so many different jurisdictions and varying technologies, that problems are inevitable. And, as the technology used for elections has become more complicated, the opportunity for error has substantially increased. 

Download the Full Report (PDF)

Download the Executive Summary as a PDF

Areas of Evaluation

This report reviews how prepared each state is to ensure that every eligible voter can vote, and that every vote is counted as cast. Because we cannot predict where machines will fail during the upcoming national election, every state should be as prepared as possible for system failures. We surveyed states’ voting equipment and ranked the states according to their preparedness. The rankings are based on how states compare to a set of best practices already being used in some places. The report ranks states from worst to best (inadequate, needs improvement, generally good, good and excellent) in these five areas of evaluation:

  1. Does the state require paper ballots or records of every state? When computer failures or human errors cause machines to miscount, election officials can use the original ballots to determine correct totals. Additionally, paper ballots or records can be used to audit machine counts to determine if outcomes are correct.
  2. Does the state have adequate contingency plans at each polling place in the event of machine failure? Machine repair should occur quickly and emergency paper ballots should be made available if any machine fails and to alleviate long lines.
  3. Does the state protect military and overseas voters by ensuring that marked ballots are not cast online? Voting system experts at the National Institute of Standards and Technology and cyber security experts at the Department of Homeland Security warn that even state-of-the-art online voting technology lacks adequate security and privacy protections. Ballots cast over the Internet can be subject to alteration and voters may lose the right to a secret ballot.
  4. Has the state instituted a post-election audit that can determine whether the electronically reported outcomes are correct? Simply voting on paper ballot systems does not increase the accuracy and integrity of election results; the ballots or records must be used to independently audit the vote count. Mandatory comparison of a random sample of the paper ballots to electronic totals is one of the best ways to ensure that the reported outcomes are correct. A well designed audit should use statistical sampling methods tied to the margin of victory and should be able to correct the outcome if it is wrong.
  5. Does the state use robust ballot reconciliation and tabulation practices? These basic procedures, including reconciling the number of votes cast to the number of voters who signed in and reconciling precinct totals with county-level totals, help ensure that no ballots are lost or added as the votes are tallied and aggregated from the local up to the state level.

The five measures listed above protect against machine failures that can change election outcomes and disenfranchise voters.

Examples of Past Machine Failures

Listed below are examples of past machine failures and how they impacted various elections:

Similar vote-counting errors may go undetected during the 2012 elections unless the mistake is so large and obvious – like the software malfunction in South Dakota – that it can’t be ignored, or the state has adopted procedures – like the post-election audit done in Florida – as recommended in this report.

Findings

The report assessed each state based on how its laws and procedures matched up to best practices in the categories identified above. These metrics were developed in consultation with leading election officials and security experts — in each of these areas. We rated each state on a five-tier scale, from inadequate through excellent. We determined that five states – Minnesota, New Hampshire, Ohio, Vermont and Wisconsin – are the best prepared to catch voting system problems and to protect voters from disenfranchisement due to equipment failures. On the other hand, Colorado, Delaware, Kansas, Louisiana, Mississippi and South Carolina are the least-prepared states. The rest of the states were missing one, two or three key procedures or systems that would adequately protect voters.

Detailed Breakdown of Findings

A more detailed breakdown of findings in the five categories we assessed:

  1. Sixteen states use paperless machines in some or all counties, prompting an “inadequate” grade. In other words, these machines produce no independent record of the vote cast, which is necessary for recounts or audits. These states are: Arkansas, Colorado, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee, Texas and Virginia. The other 35 states use voting systems which either require the use of a paper ballot or produce a paper record.
  2. On contingency preparation for possible equipment failures, three states – California,Indiana and Ohio – ranked “excellent” because they required most or all of the best practices requiring machine repair and replacement and provision of emergency ballots. None were ranked “inadequate” and seven states – Colorado, Delaware, Louisiana, Mississippi, Nevada, Utah and West Virginia – were ranked “needs improvement.” The rest of the 41 states ranked “good” or “generally good,” or were not ranked because paper ballots are the standard polling place system.
  3. Nineteen states protect voters by prohibiting electronic return of marked ballots over the Internet and instead require the voter’s original paper ballot to be returned: Alabama, Arkansas, Connecticut, Georgia, Illinois, Kentucky, Maryland, Michigan, Minnesota, New Hampshire, New York, Ohio, Pennsylvania, South Dakota, Tennessee, Vermont, Virginia, Wisconsin, and Wyoming. These states were ranked “excellent.” One state, New Jersey, permits electronic return of votes for military and overseas voters, but requires the physical ballot to be returned as well. New Jersey was ranked “generally good.” Twenty-five states permit electronic return of votes for military and overseas voters without restrictions, subjecting the ballots to the risk of corruption: Alaska, Arizona, California, Delaware, District of Columbia, Florida, Indiana, Kansas, Louisiana, Maine, Massachusetts, Mississippi, Montana, Nebraska, Nevada, New Mexico, North Carolina, North Dakota, Oklahoma, Oregon, Rhode Island, South Carolina, Utah, Washington and West Virginia. These states were rated “inadequate.” Six states allow electronic return but seek to contain the risk by making electronic return of voted ballots available only to a restricted group of voters (e.g., military voters in combat zones): Colorado, Hawaii, Idaho, Iowa, Missouri and Texas. These states were ranked “needs improvement.”
  4. Twenty-two states have paper-based voting systems and conduct audits. These states received a “good,” a “needs improvement,” and in one case, an “excellent” ranking, depending on the quality of their audits: Alaska, Arizona, California, Connecticut, District of Columbia, Florida, Hawaii, Illinois, Minnesota, Missouri, Montana, Nevada, New Mexico (which received the “excellent” ranking), New York, North Carolina, Ohio, Oregon, Utah, Vermont, Washington, West Virginia and Wisconsin. Four states require audits but do not use paper-based voting systems statewide and so a portion of their ballots go unaudited. These states – Colorado, Kentucky, Pennsylvania and Texas – received a “needs improvement” rating. And 25 states conduct no audits at all and received an “inadequate” rating: Alabama, Arkansas, Delaware, Georgia, Idaho, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Nebraska, New Hampshire, New Jersey, North Dakota, Oklahoma, Rhode Island, South Carolina, South Dakota, Tennessee, Virginia and Wyoming.
  5. Four states – Iowa, New Hampshire, North Dakota and Vermont – require most or all of the ballot accounting and reconciliation best practices, and were ranked “excellent.” Another 18 received a “good” ranking: Alaska, Arkansas, California, Florida, Hawaii, Idaho, Indiana, Kansas, Kentucky, Maine, Massachusetts, Minnesota, Montana, Nevada, North Carolina, Oregon, Washington and Wyoming. Three states received a “needs improvement” rating – New Jersey, South Dakota and Utah. The remaining 26 states ranked as “generally good,” and none were ranked “inadequate.”
Recommendations

Although it takes effort and resources to do so, our best practices have already been implemented in a number of states, with overwhelmingly positive results. We recommend that every state adopt the best practices in this report in order to safeguard our democracy.

We hope that this report serves as a resource guide to election officials, policy makers and concerned citizens alike. Election officials can see and discuss what their peers across the nation are doing to make elections secure and reliable. Similarly, citizens can work with election officials to implement the best practices discussed in the report. Citizens can also use the report to identify and help solve problems that might arise on Election Day.

Download the Full Report (PDF)

About the Authors

Pamela Smith is President of VerifiedVoting.org and the Verified Voting Foundation, nonprofit affiliates working to safeguard elections in the digital age. She provides information and public testimony on verified voting issues at federal and state levels throughout the U.S., including to the U.S. House of Representatives Committee on House Administration. She oversees an extensive information resource on election equipment and the regulations governing its use at the federal level and across the 50 states. Ms. Smith is co-editor of the Principles and Best Practices in Post Election Audits and the author of an introductory chapter on audits for Confirming Elections: Creating Confidence and Integrity through Election Auditing. She has been a small business and marketing consultant and nonprofit executive for a Hispanic educational organization working on first language literacy and adult learning.

Michelle Mulder is a Visiting Scholar and Fellow with the Rutgers School of Law – Newark Constitutional Litigation Clinic, and a Consultant to the Verified Voting Foundation. Prior to that, she served as Counsel to U.S. Representative Rush Holt, responsible for election reform and other policy matters, and in particular, for legislation that would require all voting systems to use voter-marked paper ballots and require all jurisdictions to conduct routine random audits of electronic vote tallies. Prior to her work in Congress, she was in private practice as a corporate transactional attorney in the New York office of a major international law firm. Ms. Mulder is a graduate of Georgetown University Law Center.

Susannah Goodman directs Common Cause’s national Voting Integrity Campaign. She works with national staff and Common Cause state offices to press for reforms that repair and strengthen our voting system at both the state and federal level. She has testified before Congressional committees, appeared on national news elevision programs, and has coauthored a number of reports on elections and voting including Malfunction and Malfeasance: A Report on the Electronic Voting Machine Debacle, Voting at Risk 2008, Is America Ready to Vote? State Preparations for Voting Machine Problems in 2008, and Voting in 2010: Ten Swing States. Ms. Goodman joined Common Cause in 2004 after more than 15 years of advocacy and organizing experience. She is a graduate of Wesleyan University.

Acknowledgements

This report would not have been possible without the contributions of many dedicated partners and researchers and other supporters. The authors would like first to thank Larry Norden and the Brennan Center for Justice at New York University Law School, for their contributions to the 2008 version of this report, Is America Ready to Vote: State Preparations for Voting Machine Problems in 2008, which they coauthored. In particular, the authors commend Mr. Norden and the Brennan Center for their thorough research, detailed analysis and development of the Ballot Accounting and Reconciliation section of the report (set forth in Section V of this report). The 2008 report was the foundation for the 2012 update of the report, and provided the authors with an in depth and comprehensive starting point for this report.

In addition, this report would not have been possible without the partnership of the Rutgers Law School Newark Constitutional Litigation Clinic, which contributed both facilities and  students to assist in the statutory and regulatory research necessary to update the report to reflect the law as it exists today and changes that occurred between 2008 and 2012. The authors would like to thank in particular Penny Venetis, Clinical Professor of Law and Co-Director of the Constitutional Litigation Clinic, Frank Askin, Distinguished Professor of Law, Robert E. Knowlton Scholar, and Director of the Constitutional Litigation Clinic, and the Clinic staff for their support and assistance. The authors would also like to thank the Clinic’s law students who conducted a 50 state survey of statutes and regulations governing voting procedures, Michael Bittoni, Kevin Fitzpatrick, Mark Heinzelmann, Lee Lowenthal, and Jordana Mondrow, for their tireless and meticulous efforts. In addition, the authors would like to thank Clinic students Alexandra Hayes, Anastasia Milazzo and Valerie Werse for their research into recent incidences of voting machine failures in the 50 states, which illustrate how the election preparedness issues discussed in the report impact actual elections. We also thank other volunteers including Barbara Simons, Susan Greenhalgh and others for their assistance in reviewing the report.

This report also would not have been complete without review and input from election officials from across the country, whom the authors thank very much for their time and their thorough and considered commentary on the report. That commentary was obtained over the course of several months through the equally tireless and diligent efforts of Verified Voting staffers Neal Lewis and Anne Grasser, and Common Cause staffer John Amman, whom the authors also thank very much.

The authors would like to thank the following individuals for their invaluable assistance in conducting a final confirmation of the voluminous endnotes in the report as it was being finalized for publication, and the organizations that donated their services: Paralegals Larry Gallwas, Lisa Magee and Marlon Munoz of Fenwick & West, LLP; Interns Whitney Merrill and Max Mishkin of the Electronic Frontier Foundation, and law student Peter Klym, an Intern with Common Cause.

The authors gratefully acknowledge the support of the Threshold Foundation of our work on securing elections. The authors gratefully acknowledge the generous financial support of the John Merck Fund, without which this report would not have been possible.

Finally, the authors gratefully acknowledge the support of the John D. and Catherine T.  MacArthur Foundation. The MacArthur Foundation supports creative people and effective institutions committed to building a more just, verdant and peaceful world. In addition to selecting the MacArthur Fellows, the Foundation works to defend human rights, advance global conservation and security, make cities better places, and understand how technology is affecting children and society. More information is at www.macfound.org.


Resolution on Electronic Voting

In early 2003, Santa Clara County, California, home of Silicon Valley and Stanford University, was preparing to spend $20 million on new Sequoia Voting Systems AVC Edge touch-screen voting machines. To the surprise of many, David Dill, a computer scientist at Stanford, along with several others, testified against DRE machines at a January meeting of the County Supervisors. Dill, who would go on to found the Verified Voting Foundation, began circulating the Resolution on Electronic Voting, a petition now signed by thousands of computer science professionals, attorneys, politicians, voting rights experts, and citizens. The cornerstone of this campaign was a demand that all direct-recording electronic voting machines be equipped with a voter-verified paper trail.

The resolution reads:

As a result of problems with elections in recent years, funding is being made available at all levels of government to upgrade election equipment. Unfortunately, some of the equipment being purchased, while superficially attractive to both voters and election officials, poses unacceptable risks to election integrity – risks of which election officials and the general public are largely unaware. We are in favor of the use of technology to solve difficult problems, but we know that technology must be used appropriately, with due attention to associated risks. For those who need to upgrade, there are safe, cost-effective alternatives available right now, and the potential for vastly better ones in the future. For these reasons, we endorse the following resolution:

“Computerized voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering. It is therefore crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked. Many of the electronic voting machines being purchased do not satisfy this requirement. Voting machines should not be purchased or used unless they provide a voter-verifiable audit trail; when such machines are already in use, they should be replaced or modified to provide a voter-verifiable audit trail. Providing a voter-verifiable audit trail should be one of the essential requirements for certification of new voting systems.”

Endorse the Resolution on Electronic Voting

The Problem

In response to the need to upgrade outdated election systems, many states and communities are considering acquiring “Direct Recording Electronic” (DRE) voting machines (such as “touch-screen voting machines” mentioned frequently in the press). Some have already acquired them. Unfortunately, there is insufficient awareness that these machines pose an unacceptable risk that errors or deliberate election-rigging will go undetected, since they do not provide a way for the voters to verify independently that the machine correctly records and counts the votes they have cast. Moreover, if problems are detected after an election, there is no way to determine the correct outcome of the election short of a re-vote. Deployment of new voting machines that do not provide a voter-verifiable audit trail should be halted, and existing machines should be replaced or modified to produce ballots that can be checked independently by the voter before being submitted, and cannot be altered after submission. These ballots would count as the actual votes, taking precedence over any electronic counts.

Election integrity cannot be assured without openness and transparency. But an election without voter-verifiable ballots cannot be open and transparent: The voter cannot know that the vote eventually reported is the same as the vote cast, nor can candidates or others gain confidence in the accuracy of the election by observing the voting and vote counting processes.

All computer systems are subject to subtle errors. Moreover, computer systems can be deliberately corrupted at any stage of their design, manufacture, and use. The methods used to do this can be extremely difficult to foresee and detect. Current standards and procedures for certifying electronic election equipment do not require unambiguously that equipment provide a voter-verifiable audit trail. Without a voter-verifiable audit trail, it is not practical to provide reasonable assurance of the integrity of these voting systems by any combination of design review, inspection, testing, logical analysis, or control of the system development process. For example, a programmer working for the machine vendor could modify the machine software to mis-record a few votes for party A as votes for party B, and this change could be triggered only during the actual election, not during testing. Many computer scientists could list dozens of other plausible ways to compromise computerized voting machines.

Most importantly, there is no reliable way to detect errors in recording votes or deliberate election rigging with these machines. Hence, the results of any election conducted using these machines are open to question.

Available alternatives to DRE machines

When a reasonably reliable, accurate, and secure voting technology is already in use, such as optical scan ballots, acquisition of DRE machines would be a major step backwards. However, many areas urgently need to upgrade their equipment before the 2004 elections. In these cases there are several acceptable options available now.

At this time, the only tried-and-true technology for providing a voter-verified audit trail is a paper ballot, where the votes recorded can be easily read and checked by the voter. With appropriate election administration policies (for example, ensuring the physical security of ballots), voters can be reasonably confident of the integrity of election results. Two specific alternatives that are available now are:

Of course, use of appropriate equipment is not sufficient to guarantee election integrity. Elections must be administered to minimize the possibility of error and fraud, and maximize the likelihood of detecting them if they occur. In particular, even with an audit trail, audits must actually be conducted. If electronic counts are used from machines that also print ballots, or if paper ballots are counted electronically, manual recounts must be conducted with enough frequency to make the detection of error or fraud likely.

Future Alternatives

There is certainly room for improvement in voting technology. Elections pose several unique technological challenges, especially simultaneously achieving auditability while preserving ballot secrecy. Voting technology is an active research area that has already produced several proposals that promise to be much better than any system currently in use. For example, there are proposals that may be able to eliminate the possibility of “ballot box stuffing.” Unfortunately, if available funds are spent on fatally-flawed “high-tech” voting equipment, it will be a long time before there is more funding to adopt truly superior voting technology.

Conclusion

The conduct of elections has been taken for granted for too long. Election reform is now receiving much-needed attention, but we must guard against changes that inadvertently create even worse problems. Unauditable voting equipment will erode confidence in our elections, causing further disillusionment of the voting public.

Click here if you would like to endorse this statement.

If you have any questions or comments please send us an email.


Endorse the Verified Voting Resolution

Please type your name (and other information) as “John A Doe” instead of “jane a smith” or “ROBERT E LEE”.Thank you!
* First Name: MI:
* Last Name: Suffix:
* Email address:
Address:
City:
State: * Postal Code:

Country:
Resolution Endorsement: I endorse VerifiedVoting.org’s Resolution on Electronic Voting . Please include my name on the “Endorsers List” which appears publicly on this site.
To what category would you regard yourself?
If the above endorsement box is checked, the following entries will appear on our website. Please capitalize correctly, etc.
Homepage or bio url:
Position or Title: E.g., Assistant Professor
Affiliation:
(Company, organization, or institution, e.g., Stanford University) official organizational endorsement identification purposes only
Number of Members in Your Group :
Group Origin Date:
Updates: Please send me email updates

 


Resources


Internet Voting

Proposals to conduct voting pilots using real elections continue to reappear both in the U.S. and elsewhere, seemingly independent of warnings from computer security experts. While the appeal of Internet voting is obvious, the risks, unfortunately, are not, at least to many decision makers. Yet voted ballots sent via Internet simply cannot be made secure and make easy and inviting targets for attackers ranging from lone hackers to foreign governments seeking to undermine US elections.

Further Reading

US Vote Foundation: The Future of Voting: End-to-End Verifiable Internet Voting (2015)

Utah iVote Internet Voting Report (2015)

Online Voting: Rewards and Risks (Intel Security, 2014)

Developing a Framework to Improve Critical Infrastructure Cybersecurity (Verified Voting Public Commentary, 2013)

ACM: Internet Voting in the United States (2012)

If I Can Shop and Bank Online, Why Can’t I Vote Online?

What About Email and Fax?

Report on Internet Voting in Estonia (2011)

ACM Brief: Internet Voting and Uniformed and Overseas Citizens absentee Voters

Despite that, as states provide electronic delivery of blank ballots, some are using the Internet for return of voted ballots via email attachments, by digital fax or through a web portal. Vendors of online election software, with a vested interest in selling their products, of course downplay the inherent risks and promise the oxymoronic “Internet security.” But experts in computer security maintain that nothing sent over the Internet is secure. Voter’s personal computers, from which emails are sent, are easily and constantly attacked by viruses, worms, Trojan Horses and spyware.

And the election official on the receiving end has no way to know if the voted ballot she received matches the one the voter originally sent, no matter how well secured their county computer services may be, and no matter how much has been spent licensing software and upgrading their systems.

There is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable, or just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected. Continue Reading

Computer Technologists Statement on Internet Voting

In 2008, Verified Voting founder David Dill organized the Computer Technologists’ Statement on Internet Voting. The Technologist’s Statement warns against “pilot” Internet voting projects and describes the severe challenges that must be met if an Internet voting system is to justify public confidence.

Read The Computer Technologists’ Statement on Internet Voting

Current Status of Internet Voting in the United States

ivmap2016

Both e-mailing voted ballots and transmitting them through a Web portal are forms of “Internet voting.” And with the proliferation of Internet fax services, we can presume that many voted ballots returned to election officials via fax have in fact been transmitted through the Internet. Internet voting thus can mean voting from an Internet browser in one’s personal computer, or by email attachment, or electronic fax, remote kiosk, or other means of remote electronic transmission. A voted ballot sent through the Internet is no more verifiable than a polling place ballot cast on a paperless direct-recording electronic voting machine – and in fact is exposed to a far greater number of security threats including cyber-attacks such as modification in transit, denial of service, spoofing, automated vote buying, and viral attacks on voter PCs.

In all, 31 states and the District of Columbia allow military and overseas voters to return ballots electronically. Yet 22 of these states require that voting systems at home use paper ballots or provide voter-verifiable paper records. We cannot overstate this fact: the technological reasons that 35 States have moved toward paper ballots or voter-verifiable paper records for all voters at the polls and 10 more provide them for voters in at least some counties also apply, with even greater urgency, to voted ballots returned electronically from outside the country. You can view the specific provisions for the electronic submission of voted ballots in each of the States at the right of this page.

Federal Efforts to Secure Online Voting for the Military

Researchers for the federal government have spent a decade and a half and over 100 million dollars to study online voting1 and have attempted to conduct pilot projects, and concluded that it is currently not possible to ensure the security, privacy, auditability and integrity of ballots cast over the Internet.2 For this reason, the U.S. Election Assistance Commission did not set security standards or guidelines for an Internet voting pilot project to be carried out by the Department of Defense (DoD) for military and overseas voters. There are no federal security guidelines because the federal government concluded online voting cannot be done securely.3 Moreover, because federal researchers determined that secure online voting is not currently feasible, the DoD did not develop an online voting system for military voters. The conclusive evidence that online voting cannot yet be done securely led the federal government to abandon its effort to develop a secure online voting system for the military in 2014.4

Back in 2002 congress directed the DoD to develop an online voting demonstration project for the troops in the National Defense Authorization Act (NDAA). DoD developed the SERVE project, an online voting system slated to be deployed for the 2004 elections. After security researchers reviewed the system and warned that it was not secure, the deputy secretary of defense cancelled the SERVE project because DoD “could not ensure the legitimacy of ballots” cast through the SERVE system.5  In response, congress amended the NDAA directive in 2005 and directed the U.S. Election Assistance Commission and the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so the Department of Defense may use them for the creation of a secure online voting system for military voters. NIST has documented several security issues that cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. Federal researchers concluded its research found that until these challenges are overcome, secure Internet voting is not yet feasible.6

The overwhelming evidence that secure Internet voting still is not within our grasp led Congress to repeal that directive to the Department of Defense to pursue online voting for military and overseas voters in the 2015 National Defense Authorization Act. The question of how to develop a secure online voting system has been asked and answered by researchers at the federal government. Secure online voting is not yet achievable. Vendors of online voting systems may claim that their systems are secure but these security claims are backed solely by the vendors’ promises and are completely unsubstantiated. Any claim by a for-profit vendor that it has developed a secure Internet voting system is in direct contradiction to the best assessment of federal researchers after years of research and analysis.

The Military and Overseas Voter Empowerment (MOVE) Act of 2009

There’s no question that voting for military and overseas voters needs to be improved. Too often absentee ballots are not received in time, if at all. Returning voted ballots from voters in hard to reach places (for example remote military outposts) in time to meet state election deadlines is difficult. These are real problems and 2009 saw efforts to improve ballot access for overseas voters kick-started by passage of the Military and Overseas Voter Empowerment (MOVE) Act, passed as an amendment to the Defense Authorization bill.  The MOVE Act addressed many problems facing overseas voters. It required that election officials provide ballots to military and overseas voters 45 days in advance of the election. Election officials must also make applications and blank ballots available electronically. Except for the issues raised by the remaking of ballots in some States, this is an excellent provision that allows technology to expedite the voting process but does not endanger the verifiability of the election. In addition, the MOVE Act established a system through which absent military voters are able to return their voted ballots by expedited mail through the U.S. Postal Service for free. But while the MOVE Act calls for electronic distribution of election materials, it is notably silent on the subject of return of voted ballots, with good reason.

Following enactment of MOVE, as states sought ways to meet new requirements for electronic delivery of ballots to voters deployed or living overseas, some states reached beyond the requirements of the Act. These states started providing electronic channels for return of voted ballots from voters: fax, email and Internet portals for uploading of voted ballots, and in some cases “online mark and send” even though  the federal government chose not to pursue online ballot return because of the security risks. The States are under no Federal requirement to permit electronic return of voted ballots, but  many do so despite the major security risks In addition, opportunity for error arises through the “remaking” of returned ballots, whether printed or electronic, onto optical scan ballots by election officials in order to insert the copies into the tabulating scanner. Ballots may be remade if the voter returns a printed and marked copy of an electronically received blank ballot, or if a completed ballot is returned electronically to election officials. In both cases the paper version of the “ballot” election officials receives or prints out currently cannot be scanned. There is little information about how widespread the practice of remaking electronically transmitted UOCAVA ballots is, and it may depend on how many UOCAVA voters vote in a given jurisdiction. For more information and citations see Counting Votes 2012 (PDF)

David Jefferson on Internet Voting:

Barbara Simons: Internet Voting: Wishful Thinking?:

Internet Voting Reports

“The right to cast a secret ballot in a public election is a core value in the United States’ system of self-governance. Secrecy and privacy in elections guard against coercion and are essential to integrity in the electoral process. Secrecy of the ballot is guaranteed in state constitutions and statutes nationwide. However, as states permit the marking and transmitting of marked ballots over the Internet, the right to a secret ballot is eroded and the integrity of our elections is put at risk.” The Secret Ballot At Risk: Recommendations for Protecting Democracy (EPIC, Verified Voting, Common Cause, 2016)

“Banks, online retailers, and other companies offering services over the Internet factor in some degree of loss as a cost of doing business online, and generally indemnify their customers against bad actors. Online voting poses a much tougher problem: lost votes are unacceptable. Online voting systems are complex, and any updates often must be separately recertified by election authorities. And unlike paper ballots, electronic votes cannot be “rolled back” or easily recounted. The twin goals of anonymity and verifiability within an online voting system are largely incompatible with current technologies.” Online Voting: Rewards and Risks (Intel Security, 2014)

“While there have been some Internet voting elections where voter turnout has increased, when other factors such as the apparent closeness of the race and interest in particular contests (e.g., a mayoral election without an incumbent) are taken into consideration, research suggests that Internet voting does not generally cause non- voters to vote. Instead, Internet voting is mostly used as a tool of convenience for individuals who have already decided to vote.” Recommendations Report to the Legislative Assembly (Independent Panel on Internet Voting, BC, 2014)

“From a security design perspective, internet voting is a particularly challenging problem and carries the greatest number of risks of any ballot casting method.  Online voting introduces a number of unique potential threats to the voting process: voters must submit secret ballots using a computing device potentially infected with malware or spyware, over a hostile network, for storage on an internet-facing server. … Of the proposals evaluated in the context of the RFP process, it is our opinion that no proposal provides adequate protection against the risks inherent in internet voting. It is our recommendation, therefore, that the City not proceed with internet voting in the upcoming municipal election.” Security Assessment of Vendor Proposals (City of Toronto, 2014)

“Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballot.” Attacking the Washington, D.C. Internet Voting System (2012)

“Because of the difficulty of validating and verifying software on remote electronic voting system servers and personal computers, ensuring remote electronic voting systems are auditable largely remains a challenging problem, with no current or proposed technologies offering a viable solution.” Security Considerations for Remote Electronic UOCAVA Voting, NIST, February 2011

“The return of voted ballots poses threats that are more serious and challenging than the threats to delivery of blank ballots and registration and ballot request. In particular, election officials must be able to ascertain that an electronically-returned voted ballot has come from a registered voter and that it has not been changed in transit. Because of this and other security-related issues, the threats to the return of voted ballots by e-mail and web are difficult to overcome.” A Threat Analysis on UOCAVA Voting Systems, NIST December 2008

“Most of the security problems with Internet voting are generic to any PC and Internet application, and fundamentally have no effective solutions. This is why the majority of all email transmitted over the Internet is spam, and an estimated 50% of all Internet-connected PCs in the world are infected with malicious software, despite more than a decade of effort and immense investment by the world’s high technology companies in trying to fix these problems. It is not just that no solution to the problems of Internet voting has yet been deployed. The real problem is that no fundamental solution is possible using the current Internet protocols and the current PC hardware and software platforms.” Comment on the May 2007 DoD report on Voting Technologies for UOCAVA Citizens, Aviel Rubin, David Jefferson, Barbara Simons, 2007

“The transmission of voting materials by unsecured email is a concern from both a privacy and security concern. Email traffic … is easily monitored, blocked and subject to tampering. In addition, the publication of e-mail addresses of voting officials subject those offices to attack, effectively blocking voters.” Independent review final report for the Interim Voting Assistance System (IVAS), Aug. 2006

“Because the danger of successful, large-scale attacks is so great, we reluctantly recommend shutting down the development of SERVE immediately and not attempting anything like it in the future until both the Internet and the world’s home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear.” SERVE voting system security report, 2004

“Remote Internet voting systems pose signicant risk to the integrity of the voting process, and should not be elded for use in public elections until substantial technical and social science issues are addressed. The security risks associated with these systems are both numerous and pervasive, and, in many cases, cannot be resolved using even today’s most sophisticated technology.” National Science Foundation Internet Voting Report, 2001

“[The] broad application of Internet voting in general faces several formidable social and technological challenges. …They include providing adequate ballot secrecy and voter privacy safeguards to protect votes from unauthorized disclosure and to protect voters from coercion; providing adequate security measures to ensure that the voting system (including related data and resources) is adequately safeguarded against intentional intrusions and inadvertent errors that could disrupt system performance or compromise votes; providing equal access to all voters, including persons with disabilities, and making the technology easy to use; and ensuring that the technology is a cost-beneficial alternative to existing voting methods, in light of the high technology costs and security requirements, as well as the associated benefits to be derived from such investments.” Elections: Perspectives on Activities and Challenges Across the Nation, GAO, October 2001

“Our concerns about early and remote voting plans are even stronger as we contemplate the possibility of Internet voting. In addition to the more general objections, the Commission has heard persuasive testimony that Internet voting brings a fresh set of technical and security dangers all its own. This is an idea whose time most certainly has not yet come.” National Commission on Federal Election Reform, Aug. 2001

“Remote Internet voting poses serious security risks. It is much too easy for one individual to disrupt an entire election and commit large-scale fraud.”

Voting: What is, what could be, Caltech-MIT Voting Technology Project, 2001

“[T]echnological threats to the security, integrity and secrecy of Internet ballots are significant. The possibility of “Virus” and “Trojan Horse” software attacks on home and office computers used for voting is very real and, although they are preventable, could result in a number of problems ranging from a denial of service to the submission of electronically altered ballots.” California Secretary of State’s Task Force on Internet Voting (2000)

Internet Voting State by State

from Counting Votes 2012

Alabama
Alabama allows UOCAVA voters to receive blank ballots by e-mail and facsimile in elections for federal office only, and a signature is required if the ballot is to be received by facsimile. Ballots may also be “transmitted or accessed by other secure electronic means approved by rule of the Secretary of State.” According to the Alabama election code, the absentee election manager and his or her staff are responsible for ensuring “the confidentiality of all voted ballots, including voted ballots received by facsimile.” According to the Federal Voting Assistance Program and Alabama’s online instructions for UOCAVA voters, completed ballots must be returned via mail or hand delivery.

In 2008, by executive order of the Governor, a task force was created for the purpose of developing a secure system through which absent military and overseas voters could vote over the Internet. According to the Secretary of State, legislation was enacted in 2010 on the authority of which a “secure web system to download ballots” was implemented. Since then, the Secretary’s office reports, Alabama does not distribute ballots by e-mail or facsimile, but rather “if [voters] don’t specify, then we mail [the ballot]. If they want an electronic version, we … send them an email telling them to go to the url at our web-based system to sign in and get a ballot.” The Secretary’s office further clarified that ballots are not received by e-mail or facsimile “unless there is a court order as there was in the primary … but that is not typical.”

Alaska
Any qualified Alaska voter may apply for an absentee ballot by mail, facsimile, email or through Alaska’s online voting system.   The voter may request that the blank ballot be delivered to  him or her by mail or facsimile, and in the absence of a statement of preference, the ballot  will be mailed. An absentee ballot may be returned via facsimile or the online voting system. In the case of facsimile return, Alaska law provides that a voter “assumes the risk [of] faulty electronic  transmission.” Voters are, however, provided with instructions they must follow in order  to maximize the privacy of their ballots, and procedures include the requirement that division of elections personnel remove the voted ballot from the portion of the transmission identifying the voter, and place the ballot in a secrecy sleeve before processing in the  customary fashion.

If the voter opts to use the online voting system, the voter can access an electronic image of the ballot through the system on his or her personal computer, mark the electronic ballot image, and send it back through electronic voting system. The Alaska Division of Elections website includes this disclaimer for ballots returned through the online voting system “When returning the ballot through the secure online voting solution, your are voluntarily waving your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”[sic]

Alaska allows electronic return for all UOCAVA voters, and even domestic voters, subjecting these ballots to security risks, rendering them unauditable, and compromising voter privacy.  In 2000, the Alaska Republican Party conducted a pilot project in which voters were  authorized to cast votes by way of an uncontrolled web application in a “non-binding presidential preference vote.” Although a pin number was required for participation, the Election Assistance Commission was unable to determine what security measures were used to protect transmission of the votes over the Internet. 35 voters participated in the project.

Arizona
Arizona allows UOCAVA voters to apply for ballots via mail, facsimile and the Internet. Such voters can designate the method by which they prefer to receive their blank ballots, which may be via Internet (“secure ballot upload system”), facsimile, other electronic means, or mail; in the absence of a stated preference the voter will receive the ballot by mail. Voters may return their completed ballots by mail, facsimile or Arizona’s secure ballot upload system. Two of the three counties surveyed reported using the secure ballot upload system. One of those reported that, in order to protect the privacy of such ballots, “[o]nly one person from the county opens the state website” where the ballots are uploaded, and that when voters also send their ballots back to the county via e-mail, they are “told to upload the ballot on the state site.” That county also reported that “[t]here were only 5-6 people who used the system last year, and 8-12 people this year.” Internet voting technology has been used on a pilot basis in three elections in Arizona: the 2000 Democratic Primary, the 2008 General Election and the 2010 General Election.

In the 2000 Democratic Primary, voters were authorized to cast votes by way of an uncontrolled web application from anywhere in the world in a legally binding presidential primary. A PIN was required, and a secured website and administrative passwords were used to protect the transmission of votes over the Internet. More than 39,000 voters participated. In the 2008 and 2010 General Elections, a controlled web application was used, secured by an SSL cryptographic protocol, and user names, passwords and electronic signatures were also required. The Election Assistance Commission was unable to determine how many voters participated.

Arkansas
Arkansas allows UOCAVA voters to submit their Federal Post Card Applications by mail, e- mail and facsimile, but does not allow them to receive their blank ballots by e-mail or facsimile. All completed ballots must be returned by mail. Both of the counties surveyed confirmed the foregoing. Arkansas had agreed to participate in the SERVE Project in 2004.
California
California allows UOCAVA voters to submit their Federal Post Card Applications by mail, e-mail and facsimile, and allows them to receive their blank ballots by mail or fax; in the absence of a stated preference they will receive their ballots by mail. Some counties also offer emailed or downloadable online blank ballots. California also allows such voters to return their completed ballots by mail or facsimile, and according to the Secretary of State’s office, facsimile transmission is the only method of electronic transmission allowed for return of completed ballots by UOCAVA voters. Voters returning their ballots by facsimile are required to submit a signed oath waiving their rights to a secret ballot, but notwithstanding the waiver, election officials are required to “adopt appropriate procedures to protect the secrecy of ballots returned by facsimile transmission.” Although a military or overseas voter is permitted to return his or her voted ballot by facsimile transmission, such a voter is “encouraged to return his or her ballot by mail or in person if possible” and “should return a ballot by facsimile transmission only if doing so is necessary for the ballot to be received before the close of polls on Election Day.”

All of the counties surveyed confirmed that the foregoing reflects actual practice, however, Humboldt County reported that it will allow a signed oath waiving the voter’s right to secrecy to be sent via email, though the completed ballot must still be sent by facsimile or regular mail. Orange County reported that “we may occasionally get someone who scans their ballot and tries to return by email, but we don’t accept them,” and when it happens, “[w]e will notify them that we can’t accept it that way.” With respect to offering downloadable ballots, San Mateo County plans to offer online blank ballots in the November general election. Orange County has already used a “UOCAVA wizard” through which voters may receive a ballot by e-mail, and reported that the county is “seeing a lot more interest from overseas” in the technology. It is important to note that Orange county processes all such ballots by duplicating them onto regular optical scan ballots after they are received, and that the county may duplicate as many as 4,000 to 5,000 regular absentee ballots in an election as well because of the number that are damaged when sent through the mail.

The California Legislature has sent legislation to the Governor that would authorize the use of “ballot marking systems” for special absentee voters, provided they are “not connected to a voting system at any time.” Unlike ballot marking wizards used in other states, this provision avoids online marking, thus skirting a number of privacy and security risks.

Colorado
Colorado allows UOCAVA voters to apply for and receive a ballot via mail, facsimile or e- mail or “if offered by the voter’s jurisdiction, other electronic means.” If no preference is designated, the voter will receive the ballot by mail. A voter who receives his or her ballot via electronic transmission may also return the ballot via electronic transmission in circumstances where a more secure method, “such as returning the ballot by mail,” is not available or feasible. In addition, according to the Secretary of State, “[a]ny elector, regardless of whether or not they are classified as UOCAVA, can vote and return a ballot via facsimile under emergency ballot procedures.” Emergency ballot procedures “are instances where a condition arose after the last day to request a mail ballot, where a voter is unable to vote at his or her polling place on Election Day,” and under such circumstances, “[c]ounties must seek permission from the Secretary of State’s office to transmit emergency ballots by fax.”

Colorado has enacted legislation that, subject to available funding, provides for the development of a pilot program for Internet voting for overseas military personnel beginning with the 2012 general election. Statutory language requires the system, among other things, to use encrypted data transmitted over a secure network, protect the privacy, anonymity and integrity of each voter’s ballot, prevent the casting of multiple ballots by any voter, protect against fraud, and provide “uninterrupted and reliable Internet availability,” though it does not call for a public test of the system and it is not clear how these requirements are to be accomplished.

The counties surveyed reported various practices with respect to the Internet pilot program. One reported that UOCAVA voters indicate their preferences prior to the election, and that “[i]t is possible to vote using internet.” Another reported that it was not among the counties selected for the pilot but that the pilot would be conducted in the 2012 election, and a third reported that “[w]e have just two overseas voters,” and therefore will not be participating in the pilot program.

Connecticut
Connecticut allows any voter eligible to vote absentee to apply for an absentee ballot via mail, facsimile, e-mail or “other electronic means.” Voters applying for a ballot by e-mail, facsimile or other electronic means must also return the original signed application by the close of polls on Election Day or the ballot won’t be counted. Connecticut complies with the MOVE Act by providing UOCAVA voters with a blank ballot by mail or “electronic means, as requested” by the voter; however, “if an application is made for an absentee ballot at the time of availability of regular absentee ballots (beginning 31 days before an election or 21 days before a primary), a regular absentee ballot should be provided.”  If no preference is indicated, the voter will be mailed the ballot. If the ballot is received by electronic means, it must be returned with a signed certification in order to be counted. All absentee ballots must be returned by mail. All of the election officials surveyed confirmed the foregoing.

In July 2011, Connecticut enacted a law that, subject to available appropriations, requires the Secretary of State to “recommend a method to allow for on-line voting by military personnel stationed out of state;” the Secretary of State’s office reported that “[t]his report was produced and the Secretary recommended against implementing such a system until a system with sufficient security could be built and proven sufficient.” In May 2012, the Connecticut legislature passed a bill that would allow UOCAVA ballots to be returned by e- mail or fax, but the bill was vetoed by the Governor.

Delaware
Delaware allows UOCAVA voters to apply for absentee ballots through the use of Federal Post Card Applications (FPCAs). These voters may request their ballots be sent by mail, facsimile or e-mail. If no preference is indicated, the ballot will be mailed. If a UOCAVA voter receives a ballot through e-mail or facsimile, he or she may return it by traditional mail, facsimile or e-mail. All of the counties surveyed confirmed this practice. If returned by facsimile or e-mail, the voter must complete a cover sheet, including his or her name, voucher number (a six digit number sent with their ballot), e-mail address and phone number. If returned by e-mail, the voter must scan the coversheet, ballot and oath onto a computer and e-mail these documents to the Department of Elections. If returned by facsimile, the voter must fax the coversheet, completed ballot and signed oath to the Department of Elections. The voter may verify that his or her vote was received by checking their county Department of Elections’ website or by calling or e-mailing the county. In upcoming elections, as part of Delaware’s participation in the Federal Voting Assistance Program’s Ballot Marking Wizard Program, voters will be able to receive ballots directly from a website and return them via e-mail or facsimile.
District of Columbia
The District of Columbia allows UOCAVA voters to apply for and receive an absentee ballot by mail, e-mail or facsimile (the regulations use the general term “electronically”); if no preference is stated the ballot will be delivered by mail. Such voters may also return their completed ballots by mail, e-mail or facsimile, provided that if they return the ballots electronically they must also submit a signed statement acknowledging that they waive their right to a secret ballot. An election official surveyed for the report confirmed the foregoing.

In September 2010, the District of Columbia unveiled an Internet voting pilot project, called “Digital Vote By Mail,” which was designed to allow military and overseas voters to download blank and return completed ballots over the Internet, and invited the scientific community to test the “system[‘s] integrity” prior to its actual use in the 2010 election. The project used a controlled web application and SSL and transport layer security (TLS) cryptographic protocols, and required the use of a PIN number. Within 36 hours of the system going live, a University of Michigan computer scientist and his team of graduate students had found and exploited a vulnerability that gave them almost total control over the server software, including the ability to change votes and reveal voters’ secret ballots.

To demonstrate their successful hack, the team left a “calling card” for test voters who completed voting: “[a]fter 15 seconds, the page plays the University of Michigan fight song.” As a result of the hack, the Board of Elections cancelled the project for 2010, issuing a statement that read, in part, “the District of Columbia’s Board of Elections and Ethics learned that its Digital Vote by Mail public examination software had developed an affinity for the maize and blue of the University of Michigan. Since no staff of the BOEE or our development partners …had attended the school, we reached the logical conclusion. Our public test had been hacked.” The authors join the University of Michigan team in commending the District of Columbia Board of Elections for conducting “exactly the kind of open, public testing that many of us in the e-voting security community …have been encouraging vendors and municipalities to conduct,” and further commend the Board for acknowledging that they “learned many valuable lessons about the security issues with the file upload mechanisms used in this software” and that “[t]he burden of proof will always rest with the election officials to ensure integrity and transparency of all voting systems.” The District of Columbia has pledged to continue to experiment to find a secure digital means for military and overseas voters to cast their ballots. An election official surveyed reported that the District of Columbia has no plans to allow return of completed ballots in 2012 other than by e-mail and facsimile as described above.

Florida
Florida allows UOCAVA voters to apply for blank ballots by telephone, mail, e-mail, facsimile, or any other form of written request. Such voters may receive their blank ballots by mail, e-mail or facsimile, and if no preference is selected, they will receive them by mail. Such voters may also return their completed ballots by mail, facsimile transmission “or other secure remote electronic transmission,” but not by “regular electronic mail.” In accordance with a final rule governing military and overseas absentee ballots adopted in July 2012, Florida will not allow completed ballots to be returned by e-mail; voters who return their ballots by facsimile will be advised that by doing so they are waiving their right to a secret ballot. Only one of the counties surveyed confirmed that it accepts ballots returned from UOCAVA voters by e-mail in addition to facsimile.

In the 2008 General Election, Okaloosa County conducted a pilot Internet voting project called the Okaloosa Distance Balloting Project. In the project, voting kiosks were set up in hotels in three overseas cities in which the U.S. has military installations: Mildenhall England, Ramstein Germany, and Kadena Japan. The project used a controlled data- transmission channel via proprietary kiosks, and the channel was protected by a VPN, SSL and “multiple layers of encryption and digitally signed data.” In-person photo identification and a digital certificate were also required. Ninety-three voters participated in the project. Florida had also agreed to participate in the SERVE Project in 2004, and two Florida counties participated in the VOI Project in 2000.

Georgia
Georgia allows any absentee voter to apply for absentee ballots by mail, e-mail and facsimile, and allows UOCAVA voters to receive their blank ballots by e-mail in addition to mail. If the voter states no preference, the ballots will be mailed. All completed absentee ballots must be returned by mail. The counties surveyed reported varying practices and understandings. One confirmed the foregoing, namely that blank ballots can be sent by e-mail to UOCAVA voters but must be returned by mail, and another reported that “one voter returned his ballot [electronically] via the Secretary of State.” However, the third reported generally that completed ballots could be returned by both e-mail and facsimile in addition to regular mail.

In 2010 Georgia enacted a law requiring the Secretary of State to “develop and implement a pilot program for the electronic transmission, receipt, and counting of absentee ballots” of UOCAVA voters. Statutory language requires the system, among other things, to use encrypted data transmitted over a secure network, protect the privacy, anonymity and integrity of each voter’s ballot, prevent the casting of multiple ballots by any voter, protect against fraud, provide “uninterrupted [system] reliability” for casting ballots, and provide the “ability to verify that the information transmitted over the secure network was not viewed or altered by sites that lie between the voting location and the vote counting destination,” though it does not call for a public test of the system and it is not clear how these requirements are to be accomplished. The pilot program is subject to appropriations and/or private, non-political funding, and sunsets automatically on July 1 of the year following the conclusion of the pilot. According to a representative from the Secretary of State’s office, Georgia has no current plans to implement the Internet voting pilot program.

Hawaii
Hawaii allows UOCAVA voters to submit their Federal Post Card Application for a ballot by mail, e-mail or facsimile. Such voters may receive their blank ballots by mail or, if the voter did not receive the mailed ballot within five days of the election, the voter may request that his or her blank absentee ballot be forwarded by facsimile. Voters must return their completed ballots by mail, or, if they received the ballot by facsimile within 5 days before the election, by facsimile, but if the voter returns the ballot by facsimile he or she must also return a waiver of the right to a secret ballot. One of the counties surveyed reported that it does not allow completed ballots to be returned by facsimile.

In 2009, the City of Honolulu held its Neighborhood Board Election by way of an “all- digital voting system” that included the use of telephones and the Internet. Because the election was for Neighborhood Board members, Hawaii’s state election laws, which require a voter-verifiable paper audit trail, did not apply to the project. Although the Request for Proposals required the system designer to “provide an alternative method of voting that ‘should be at least as safe as the all-paper method used in’” prior elections, the project used an uncontrolled web application protected only by SSL cryptographic protocols and the required use of a password, and otherwise allowed voters to vote from their home computers. The Election Assistance Commission reported that 154,000 voters were registered for the project, but it was unable to determine the level of participation. A representative of the Honolulu Neighborhood Board reported that in fact 156,000 voters were “registered,” but that that figure represents all voters “that are registered for either the primary or the general federal election. … Added to that number are any people who registered directly with the Neighborhood Board. Statistically speaking, Neighborhood Board elections generally have a low voter turnout, and in the case of the Neighborhood Election project, 13,264 votes were cast,” representing “approximately 8.5% of registered voters.” Hawaii also had agreed to participate in the SERVE Project in 2004.

Idaho
Idaho allows any absentee voter to apply for an absentee ballot by mail or “by using a facsimile machine or other electronic transmission.” All voters, including UOCAVA voters, may also receive their blank ballots by mail or by using facsimile or other electronic transmission, including e-mail. If UOCAVA voters do not express a preference, their ballots will be mailed. In addition, the Secretary of State is required to “establish procedures for transmitting such ballots in a manner that shall protect the security and integrity of such ballots and the privacy of the elector throughout the process of transmission.” All completed absentee ballots must be returned by mail, provided that in certain emergency circumstances the Secretary of State may allow the voter to return a completed ballot by facsimile or e-mail. The Secretary of State’s office reported that such a circumstance would be “very rare,” and all of the counties surveyed reported that they only accept completed ballots by mail, although two confirmed that they send blank ballots out electronically and one of those reported that 2012 is the first year it had done that.
Illinois
Illinois allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mailorfacsimile. According to the Federal Voting Assistance Program , such voters may also obtain blank ballots by way of a “secure ballot uploads ystem.” If voters do not select a preference, their ballots will be mailed. Military and overseas voters must return their ballots by mail.The Board of Elections confirmed the foregoing.
Indiana
Indiana allows all absentee voters to apply for an absentee ballot by mail, e-mail and facsimile, and to receive their blank ballots by mail and by facsimile. In addition, UOCAVA voters may apply for their blank ballots by web application and receive them by e-mail, and may return their completed ballots by mail, facsimile, e-mail to their election officials, or e-mail to the Federal Voting Assistance Program with instructions to forward the email to their local election office. Voters who return their ballots by e-mail or facsimile must also return a signed statement acknowledging that they understand that by faxing or e- mailing their voted ballots, they are voluntarily waiving their rights to a secret ballot. In addition, the system must incorporate reasonable measures to protect the security, confidentiality, and integrity of personal information. All of the counties reported that the foregoing reflects actual practice, but one clarified that the county “no longer goes through FVAP” but rather “e-mail[s] ballots directly to the voter” because “going through FVAP was a much slower process,” and that the absentee counting board “[does] all they can to protect the confidentiality and integrity of personal information” of UOCAVA voters.
Iowa
Iowa allows all UOCAVA voters to apply for and receive blank ballots by mail, e-mail or facsimile. Voters who do not express a preference will receive their ballots by mail. All UOCAVA voters must return their completed ballots by mail, except for military and overseas voters located in an “imminent danger pay” area, who may return their ballots by email or facsimile. Voters who qualify for and choose to return a ballot by email or facsimile must “sign a form, provided by the county auditor, which affirms they are located in an imminent danger pay area.” The form also informs the voter that by casting a vote electronically, he or she has waived the “right to a secret ballot.” All of the counties surveyed confirmed that the foregoing reflects actual practice.
Kansas
Kansas allows UOCAVA voters to apply for and receive blank ballots by mail, e-mail, facsimile “or other electronic method authorized by the Secretary of State.” If no preference is selected, Kansas will mail the ballot. Such voters may also return their ballots by those methods, provided that if they choose to return the ballot by e-mail, facsimile or other electronic transmission method, they must include a signed statement saying “I understand that by faxing, emailing or electronically transmitting my voted ballot I am voluntarily waiving my right to a secret ballot.” Some counties also offer a ballot that you can mark online and print, then return by U.S. mail, fax or email. To the extent that electronic transmission methods are used, county election officials are required to keep voted ballots “as confidential as practicable.” All of the counties surveyed confirmed that the foregoing reflects actual practice, but one clarified that it had never received an electronically transmitted ballot.
Kentucky
Kentucky allows UOCAVA voters to apply for and receive their blank ballots by mail, facsimile, and e-mail, through Kentucky’s “online wizard” web application. If no preference is selected, such voters will receive their ballots by mail. All completed ballots must be returned by mail.
Louisiana
Louisiana allows all absentee voters to apply for an absentee ballot by “any means,” including mail and facsimile. Louisiana also allows any voter to receive and return a completed ballot by facsimile, provided the voter also submits a signed statement waiving his or her right to a secret ballot. Louisiana allows UOCAVA voters to apply for and also receive their blank ballots by mail, e-mail and facsimile. Such voters may return their completed ballots by mail or facsimile, provided that if they return them by facsimile, they must also include a signed statement waving their right to a secret ballot. The registrar and his or her staff are required to“take the steps necessary to keep the voted ballots received by facsimile as confidential as practicable.” In addition, the Secretary of State is required to “take all actions reasonably necessary to allow” UOCAVA voters to vote according to UOCAVA “or otherwise during a period of declared emergency, whether by mail, facsimile, or other means of transmission of the ballot, notwithstanding any provision of this Code to the contrary.” One of the parishes surveyed confirmed all of the foregoing.
Maine
Maine allows any absentee voter to apply for an absentee ballot in writing (submitted by mail, facsimile, immediate family member or third person), telephone or “electronic means authorized by the Secretary of State.” Maine also allows UOCAVA voters to apply for absentee ballots electronically as a scanned attachment to an e-mail, and to receive their blank ballots by mail, facsimile or electronically through the use of downloadable form accessible from a secure website. If the voter does not express a preference, the ballot will be mailed. All completed ballots must be returned by mail, except that UOCAVA voters may return their completed ballots electronically, as a scanned attachment to an email. E-mail return was previously limited to circumstances in which there was not sufficient time to return the ballot and the voter had requested permission, but the Secretary of State’s office reports that it provides “all UOCAVA voters with instructions on returning the ballot as a scanned attachment to an email, and they no longer have to request permission from our office before doing so.” The election officials surveyed, all of whom are municipal officials, reported that the foregoing process is handled entirely by the Secretary of State; one added that “[t]he Secretary of State’s office handles all aspects of that process including tabulation. The municipality only sees it as an absentee ballot in their precinct.”

In 2015 Maine passed SB552 which authorizes the Secretary of State to mandate a method of electronically receiving voted absentee ballots from UOCAVA voters, possibly expanding the methods of return available to these voters.

Maryland
Maryland allows UOCAVA voters to request and download their absentee ballots online. All other voters must mail in an absentee ballot request form to get an absentee ballot physically mailed. Absentee ballot applications are available through a website application. All voters, including UOCAVA voters, must return their completed ballots by mail.

In 2011, the Takoma Park, MD Board of Elections considered implementing an online system which would enable absentee voters to cast their ballots online for the November, 2011 City election. However, the Board ultimately passed a resolution that halted the pilot project. It stated, in part, that: “the ballot of record for absentee ballots is the paper ballot, and we will not accept only the electronic record as a ballot vote.”

Massachusetts
Massachusetts allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mail and facsimile. If the voter does not express a preference, the ballot will be mailed. UOCAVA voters may also return their completed ballots by mail, e-mail or facsimile. All of the election officials surveyed confirmed the foregoing procedures, and noted in addition that voters who return their ballots by e-mail or facsimile must submit waivers acknowledging that their ballots will not be secret.
Michigan
Michigan allows UOCAVA voters to apply for and receive a blank ballot by mail, email or fax. For email ballots, PDFs of the ballot, voter signature certificate and voting instructions are created and sent to the voter’s email address. For fax ballots, copies of the ballot, voter signature certificate and voting instructions are printed and faxed to the voter’s fax number. All completed ballots and signed voter signature certificates must be returned by mail. Any votes returned by fax or email will not be counted. All of the counties surveyed confirmed that completed ballots must be returned by mail, but one reported that a UOCAVA voter had “asked for the first time to return a ballot by pdf at the township level.” For all ballots sent by email or fax, the election official must verify that the signature on the certificate matches the signature on the application for an absentee ballot. If the signatures do not match, the ballot is rejected. If there is no signed certificate, the ballot is rejected. On Election Day, the ballot is delivered to the precinct or absent voter counting board in accordance with usual procedures. In 2004, the Michigan Democratic Party conducted a Presidential Primary via the Internet using an uncontrolled vote data return channel, a web application, and facsimile transmission. The U.S. Election Assistance Commission was unable to determine what, if any, channel protection was used, but a PIN number and the voters’ place and date of birth were required for voter authentication. Reportedly more than 46,500 voters participated.
Minnesota
Minnesota allows all absentee voters to apply for an absentee ballot by mail, e-mail or facsimile. Minnesota also allows UOCAVA voters to receive their blank ballots by mail, e-mail or facsimile, but if such voters opt to receive their ballots electronically the county auditor is not required to provide return postage. If no preference is selected, voters will receive their ballots by mail. All military and overseas voters must return their completed ballots by mail, package delivery service, or diplomatic pouch via U.S. Embassy or Consulate. All of the counties surveyed confirmed that the foregoing accurately describes actual practice, but one reported that even though not required to do so, it still provides return postage even when voters receive their ballots electronically.
Mississippi
Mississippi allows any absentee voter to apply for an absentee ballot by mail or telephone. Mississippi also allows UOCAVA voters to apply for and receive their blank ballots by mail, e-mail and facsimile. If the voter does not express a preference the ballot will be mailed. Such voters may also return their completed ballots by mail, e-mail or facsimile. Completed ballots returned by facsimile or e-mail are not required to bear a signature. Access to such ballots upon return is restricted to the election officials who retrieve the e- mail or facsimile, and these officials are required to place the ballots in absentee ballot envelopes, and “have the duty to protect the secrecy of the ballot choices.” Both of the counties surveyed confirmed the foregoing. The Secretary of State clarified that “[f]or military and overseas voters, the FPCA requesting absentee ballots and the absentee ballots may be returned via facsimile” and that “[n]o other faxing of absentee ballot applications or absentee ballots is permissible,” but confirmed that “[a]ny citizen covered under [UOCAVA] who has been issued a Department of Defense ID can request an absentee ballot application and cast an absentee ballot by e-mail” and that “[a]ctive duty military personnel serving outside of the state of Mississippi may also receive and submit an application as well as an absentee ballot by e-mail.”
Missouri
Missouri allows all absentee voters to apply for an absentee ballot by mail or facsimile. Missouri allows UOCAVA voters to apply for and receive their blank ballots by mail, e-mail or facsimile. All absentee voters are required to return their completed ballots by mail, except that military voters in “hostile fire areas” as declared by the Secretary of State are permitted to return their marked ballots by mail, facsimile, or e-mail. Voters returning their completed ballots electronically are required to attach a signed cover letter to their ballots, which states that the voter’s “original mailed ballot will take precedence over any other ballot” the voter returns (by e-mail or facsimile) “if the original mailed ballot” is timely received. The cover letter also includes an acknowledgement by the voter that by returning the ballot electronically the voter “is giving up some right to privacy,” and a statement of understanding that “election officials will do everything possible to safeguard the privacy” of the ballot. Missouri allows electronic return of voted ballots but restricts the circumstances under which it is permitted and recognizes that there are security and privacy risks inherent in using electronic ballots. All of the counties surveyed confirmed that the foregoing accurately describes actual practice, but one clarified that not all Missouri voters qualify to vote by absentee ballot.
Montana
Montana allows UOCAVA voters to apply for and receive their blank ballots by mail, e-mail and facsimile. Such voters may also use Montana’s online Electronic Absentee System. If the voter does not express a preference the voter will receive the ballot by mail.” Military and overseas voters may also return their completed ballots by mail, e-mail and facsimile. The Secretary of State is required to adopt rules under which ballots returned electronically “will remain secret,” as required by the Montana constitution, and which “protect the accuracy, integrity, and secrecy of the process.” The Secretary of State indicates that no votes returned electronically are saved or stored on the electronic absentee system. All of the counties surveyed confirmed that the foregoing procedures are an accurate description of actual practice, but one reported that it “is a small county and is not set up for sending or receiving ballots by e-mail or facsimile” and does not have “a secure fax line.” That county reported that it only sends and receives ballots by mail, and that “[t]his is true for most of Montana’s smallest counties.” Another reported that “secure e-mail only” is the only method of e-mail transmission allowed, but in any case, that “[i]t has been two years since [her county] had to handle any ballots that way.” With respect to protecting the secrecy of the ballot, one county explained that “[w]hen they know a ballot is coming, someone is sent to retrieve it (if faxed) or print it (if emailed), put [it] into a ballot envelope and [seal and process it] with the rest of the ballots.”
Nebraska
Nebraska allows all absentee voters to apply for an absentee ballot in person, by mail, e-mail or facsimile, to have their blank ballots mailed to them. Nebraska allows UOCAVA voters to apply for and receive their blank ballots “using any method of transmission authorized by the Secretary of State,” including mail, email and facsimile. When the UOCAVA voter does not express a preference and the email address was provided, the ballot will be e-mailed. Nebraska also allows completed ballots from military and overseas voters to be received “using any method of transmission authorized by the Secretary of State,” and completed ballots must be returned by the close of polls Election Day either in person, by agent, or the UOCAVA voter may contact the county election office to request that their ballot be returned by e-mail or facsimile. The Secretary of State’s office reports that “[a]pproximately 1/3 of the UOCAVA ballots are returned electronically.”
Nevada
Nevada allows all absentee voters to apply for and receive their blank ballots by mail or facsimile. Nevada also appears to allow all absentee voters to return their completed ballots by mail or facsimile, but the Secretary of State clarified that the referenced statute “will, in a limited circumstance, allow a clerk to send any voter an absentee ballot by fax only if the clerk initially failed to mail them a ballot” and “allows the return of the ballot by fax only if it was sent because the county clerk failed to initially mail it.” Two of the three counties surveyed reported that fax return is only allowed for UOCAVA voters, and the third reported that it “hasn’t had to use email or facsimile in the last 6 elections.” Nevada allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mail or facsimile. If no preference is selected, the voter will receive the ballot by mail. Military and overseas voters may also return their ballots by mail, e-mail or facsimile, but if they return them electronically, they must also send a signed statement “declaring that a material misstatement of fact in completing the document may be grounds for a conviction of perjury.” Election officials are required to keep confidential e-mail addresses of voters who request to communicate by e-mail. All of the counties surveyed confirmed that the foregoing accurately describes actual practice with respect to UOCAVA voters.
New Hampshire
New Hampshire allows UOCAVA voters to submit a Federal Post Card Application for a ballot by mail, e-mail or facsimile, and to receive blank ballots by mail or “electronic transmission” (e-mail). If no preference is selected the voter will receive the ballot by mail. All completed ballots must be returned by mail.
New Jersey
New Jersey allows UOCAVA voters to apply for and receive their blank ballots by mail, e-mail and facsimile. These voters may also return their completed ballots by mail, e-mail or facsimile. These ballots returned by electronic means shall only be considered valid if accompanied by a signed statement: “I understand that by transmitting by electronic means a copy of my voted ballot I am voluntarily waiving my right to a secret ballot” and “[a]t the same time, I pledge to place the original voted ballot in a secure envelope, together with any other required certification, and send the documents immediately by air mail to the appropriate county board of elections.” The voter must air mail the original ballot to the appropriate county board of elections. If the electronic copy of the ballot does not “conform exactly with the particulars of the original voted ballot,” the matter will be referred to the Superintendent of Elections or the country prosecutor for investigation. Election officials receiving ballots submitted electronically are required to “take all necessary precautions to preserve the security of the ballot materials and specifically shall ensure that the vote cast by a voter using a ballot transmitted by electronic means is not revealed, except to the extent necessary by law or judicial determination.” The Secretary of State’s office confirmed this process but clarified that “the Superintendent of Elections does not get involved with the counting, it goes to the Board of Elections. Not every county has a Superintendent of Elections.”
New Mexico
New Mexico allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mail or facsimile.  If no preference is selected the voter will receive the ballot by mail. Military and overseas voters may also return their completed ballots by mail, e-mail or facsimile, provided that if the voter returns the ballot by electronic transmission, he or she must include in the transmission a signed statement confirming, under penalty of perjury, that he or she is waiving the right to a secret ballot. All of the counties surveyed confirmed that the foregoing reflects actual practice, and one reported that in the event e- mail is selected and the e-mail does not go through, election officials will “[go] so far as” to contact the parents of the UOCAVA voters to verify the contact information.
New York
New York allows UOCAVA voters to apply for and receive blank ballots by mail, e-mail or facsimile. If no preference is selected, the ballot will be mailed. Regardless of the transmission method expressed by the voter, all original completed applications must be returned by mail, even if an electronic copy was already returned (a possibility acknowledged by the elections code), and all original completed ballots must be returned by mail. All of the counties surveyed confirmed that the foregoing accurately describes actual practice. One of them, in confirming that no electronic returns are allowed, added that “there would be no way to compare the signature, as well as no secure way of receiving ballots,” and that if he ever received a faxed ballot with a signature he would call the State Board of Elections for instructions. In any case, the respondent reported that it has never happened.
North Carolina
North Carolina allows UOCAVA voters to apply for and receive blank absentee ballots by mail, e-mail and facsimile. The elections code provides that if a jurisdiction offers it, the voter may receive the ballot by Internet delivery. If no preference is indicated, the voter will receive the ballot by mail. All of the counties surveyed confirmed that they offer to send ballots by Internet delivery. One reported that ballots are offered by Internet delivery Statewide, and that “almost no one has not stated a preference” and “[c]urrently 90% of UOCAVA absentee ballots [are] sent by email.” UOCAVA voters may also return their completed ballots by mail, e-mail or facsimile. Voters’ e-mail addresses are not to be treated as public records.North Carolina had also agreed to participate in the SERVE Project in 2004.
North Dakota
North Dakota allows UOCAVA voters to apply for and receive blank absentee ballots by mail, e-mail or facsimile. If the voter does not make a selection, but provides an e-mail address, election officials will e-mail the ballot. Military and overseas voters may also return their completed ballots by mail, e-mail or facsimile. Such voters may also, at their option, return their completed ballots through a portal system; the voter uses an online ballot marking wizard to make selections, then notifies the election official the ballot is available for retrieval. An election official then obtains the ballot through the online portal. Election officials are required to keep voters’ e-mail addresses confidential, and the Secretary of State is required to “develop standardized absentee-voting materials, including privacy and transmission envelopes and electronic equivalents” thereof. All of the counties surveyed confirmed that the foregoing procedures reflect actual practice, but one clarified that “with our new Voices system the ballot is not e-mailed,” rather, voters “are provided a link [through] which they can vote electronically on the server” instead of ballots being transmitted back and forth.
Ohio
Ohio allows UOCAVA voters to apply for and receive their blank ballots by mail, e-mail or facsimile. If offered by the Secretary of State or the board of elections, such voters may apply for and receive their blank ballots through Internet delivery. If the voter does not express a preference, the voter will receive the ballot by mail. All completed ballots must be returned by mail. The Secretary of State and two of the three counties surveyed confirmed that only hard copy returns are allowed, and the third county, although it agreed that it was “correct” that all ballots must be returned by mail, reported that “a hard copy of the facsimile or email has to be sent in, and when it is received, the original ballot that the email or facsimile was produced from is then remade accordingly, before being cast.” In other words, it is a hard copy that is returned by mail, but because the hard copy ballot was marked onto a fax or a printed e-mail, the ballot is re-made by election officials before being scanned.
Oklahoma
Oklahoma allows UOCAVA voters to apply for and receive blank ballots by mail, e-mail or fax, but if they do not indicate that their preference is e-mail or fax, they will receive the ballot by mail. Such voters may return their completed ballots by regular mail or fax, or by e-mailing them to the Federal Voting Assistance Program, which will then fax them to the appropriate local election official. According to the Oklahoma State Election Board, if voters return their ballot electronically, the state will encourage them also to return the hard copy original ballot. According to one county surveyed, if the county receives both a faxed ballot and a mailed ballot, the county has “procedures in place to ensure we are only counting a person’s returned ballot once.” The two other counties surveyed had very little experience with electronically returned ballots; one official reported that her county “never received a ballot by email or fax” and the other reported that “it’s been six years since they’ve had one emailed.” These two counties also were under the impression, notwithstanding the apparent prohibition of it noted above, that ballots were being, or were allowed to be, e- mailed directly to the elections boards. One reported that when that happens, “[e]-mailed ballots go straight to the county where they are printed out by the election board,” and “one Republican and one Democrat mark a fresh ballot and run it through the machine.” None of the counties surveyed reported being aware of specific procedures by which voters who return a ballot electronically would be encouraged to return the hard copy.
Oregon
Oregon allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mail or facsimile. If the voter does not express a preference the ballot will be mailed. All voters must return their completed ballots by mail, provided that voters serving in the U.S. Armed Forces or Merchant Marines, or discharged therefrom within the last 30 days, may also return their completed ballots by facsimile or e-mail. According to the Secretary of State and the counties surveyed, this right is available to all UOCAVA voters, not only military UOCAVA voters. Completed ballots returned by facsimile or e- mail must be accompanied by a Secret Ballot Waiver Form, in which the voter consents to having his or her right to a secret ballot waived. Although the Secretary of State’s Elections Division website and the Federal Voting Assistance Program did not initially indicate that e-mail was a return option, the waiver form itself provides that ballots of qualified absent military voters may be returned by e-mail, subject to submission of the same signed waiver, and the Secretary of State confirms this. One of the counties surveyed reported that e-mail return was an option added in 2012. They all confirmed that the foregoing is an accurate description of actual practice. In July 2010, the Independent Party of Oregon conducted a statewide primary election using an uncontrolled Internet channel through which ballots could be cast online. The U.S. Election Assistance Commission was unable to determine what sort of channel protection was provided, but Independent Party voters were assigned unique codes to log onto the system. An estimated 2,500 voters participated.
Pennsylvania
Pennsylvania allows UOCAVA voters to apply for and receive their blank absentee ballots applications via mail, e-mail or facsimile, but requires that the original application also be returned by mail. If the mailed copy of the application isn’t received prior to the election, the voted ballot will not be counted. If the voter does not express a preference with respect to how he or she wants to receive the ballot, the ballot will be mailed. All completed ballots must be returned by mail. According to the Secretary of State, “[t]he electronic transmission of a voted absentee ballot from the elector to the county board of elections would violate the Pennsylvania constitutional requirement for secrecy of the ballot” as well as “several sections of the Pennsylvania Election Code.” Two of the counties surveyed confirmed that the foregoing reflects actual practice, and the third confirmed it in part but reported that the e-mail portal through which blank ballots may be applied for and delivered to UOCAVA voters “has never worked.”
Rhode Island
Rhode Island allows UOCAVA voters to apply for their blank ballots by mail or by facsimile, and to receive blank ballots by mail, facsimile, or via download from a secure website. If no preference is selected, the ballot will be mailed. According to the Secretary of State, if electronic transmission is requested, the ballot must be sent by both electronic means and mail service. Military and overseas voters may return their completed ballots by mail or facsimile, but if the ballot was sent to the voter via electronic means, after being voted upon it must be returned by electronic transmission. Although voters in such circumstances are not required to return the original ballot also, according to the Secretary of State, if a voter returns his or her ballot electronically, the voter “should also send their official ballot in the mail” and “[t]he State Board of Elections will count the [ballot] that they have in their possession at 9 p.m. on election night.” The Board of Elections confirmed this, and added that “[i]f the original ballot is mailed after a copy is faxed, the staff reconciles the ballots so only the original will be counted on Election Day. If the original is never returned, the electronically returned copy will be used instead.”
South Carolina
South Carolina allows all absentee voters to apply for a blank absentee ballot by mail, e-mail or facsimile, but they will receive their blank ballots and must return them by mail. South Carolina allows UOCAVA voters to apply for and receive their blank ballots by mail, e-mail and facsimile. If the voter does not express a preference, the ballot will be mailed. Military and overseas voters may return their completed ballots by mail, e-mail or facsimile. Completed ballots that are returned by electronic transmission must include a signed waiver of the right to a secret ballot. All of the counties surveyed confirmed that the foregoing accurately describes actual practices in South Carolina, but one clarified that not all voters qualify to vote by absentee ballot.
South Dakota
South Dakota allows UOCAVA voters to apply for a blank ballot by mail, e-mail, facsimile, or web portal, and to receive the blank ballot by mail, e-mail or web portal, but not facsimile. If the voter does not express a preference, or if the e-mail address provided does not work, the ballot will be mailed. All completed ballots must be returned by mail. All of the counties surveyed confirmed that the foregoing reflects actual practice.
Tennessee
Tennessee allows all absentee voters to apply for a blank absentee ballot by mail, e-mail or facsimile, but they will be mailed their ballots and must return them by mail. Tennessee allows UOCAVA voters to apply for blank absentee ballots by mail, e-mail or facsimile, and to receive the blank ballots by mail or e-mail, but not facsimile. If no preference is selected, the ballot will be mailed. All completed ballots must be returned by mail. The Secretary of State confirmed all of the foregoing.
Texas
Texas allows all voters to apply for a blank absentee ballot by facsimile, but will only send them the blank ballot by mail, and the completed ballot must be returned by mail. One county surveyed reported that voters are expressly prohibited from returning absentee ballots by hand. Texas allows UOCAVA voters to apply for their blank ballots by mail, e-mail or facsimile. The Secretary of State’s website provides that the blank ballots can be mailed or e-mailed to such voters, but not faxed, while Federal Voting Assistance Program materials provide that blank ballots can be mailed to voters, but neither e-mailed nor faxed. Two counties surveyed clarified that both are essentially accurate, and that “[t]he distinction lies in whether the ballot was requested through [the Secretary of State], or through FVAP,” and that the method of sending it to the voter depended on the method by which it was requested. A third reported that it follows the rules promulgated by the Secretary of State. Texas requires all completed absentee ballots to be returned by mail, provided that members of the armed forces on active duty and their family who are casting the ballot from “hostile fire” pay area, “imminent danger” pay area, or a declared “combat zone” may return their ballots by facsimile “or similar electronic means.” According to the Secretary of State’s website, such ballots may not be returned by e-mail under any circumstances. In addition, according to two of the counties surveyed, completed ballots will only be accepted by facsimile if the ballot is returned through the FVAP, and the FVAP has verified that the voter is in fact sending the ballot from one of the above-mentioned areas. One county surveyed reported that ballots received by facsimile are logged in, placed in absentee ballot envelopes, and then sent to be processed with other absentee ballots; procedurally, a “duplicate [of] the ballot is made on a clean ballot and run through the tabulator,” but “[t]he fax [is] retained, and the number of the duplicate ballot is recorded.” When ballots are returned by facsimile, election officials are required to provide security for the transmission. Notably, however, if the voter returns the ballot electronically before mailing it, it is the paper hard copy that will not be counted. There have been no recent attempts to allow Texans to vote over the Internet, except that astronauts who are in space during the early voting period and on Election Day can vote over the Internet. These voters use NASA’s electronic transmission program to receive ballots, and by way of a secure line to Johnson Space Center, their votes are transmitted to their home counties. During the 2010 midterm election, three astronauts successfully voted from the International Space Station. One Texas county participated in the VOI Project in 2000.
Utah
Utah allows UOCAVA voters to apply for and receive blank absentee ballots by mail, e-mail or facsimile. If the jurisdiction offers it, such voters may also receive their blank ballots via Internet delivery. If the voter does not express a preference, the ballot will be mailed. UOCAVA voters can also return their completed ballots by mail, e-mail or facsimile, provided that if they return the ballots by electronic transmission they must include a statement acknowledging that by doing so they are waiving the right to a secret ballot. Election officials are required to treat voters’ e-mail addresses as private records, to be used only for election purposes. All of the counties surveyed confirmed that the foregoing accurately describes actual practice, but one added that in 2012 the county will be carrying out a program with Everyone Counts, through which “we give [the company] our UOCAVA voters

, they contact them and send them to a personalized website where they login with their personal info such as drivers’ license number to get a ballot;” the voters then “mark the ballot on the computer but they have to print it and scan, mail or fax it. It is not Internet voting because they have to print it out.” Utah does not currently allow voting over the Internet other than the methods described above, but legislation has been passed allowing counties, if selected by the Department of Defense, to participate in any pilot program for military or overseas voters to register and vote online. None of the counties surveyed reported having any plans to participate in an Internet voting pilot project in 2012. One Utah county participated in the VOI Project in 2000, and Utah had also agreed to participate in the SERVE Project in 2004.

Vermont
Vermont allows UOCAVA voters to apply for and receive their blank ballots by mail, telephone, e-mail or facsimile. If the voter des not express a preference, the ballot will be mailed. All completed ballots must be returned by mail, “sealed inside the Absentee Certificate envelope (with the voter’s original signature).” Vermont does not currently allow voting over the Internet or by return electronic transmission. Two of the town clerks surveyed confirmed that the foregoing accurately reflects actual practice, and one reported that it doesn’t e-mail or fax ballots. In March of 2010 the Secretary of State of Vermont publicly distanced herself from attempts to implement Internet voting and described current practices as being neither reliable nor secure.
Virginia
Virginia allows all absentee voters to apply for a blank absentee ballot by mail, e-mail or facsimile, but election officials will only send the blank ballot to the voter by mail, and the voter must return the completed ballot by mail.Virginia allows UOCAVA voters to apply for, and also receive, their blank ballots by mail, e- mail or facsimile. If the voter does not express a preference, the ballot will be mailed. As of January 2012, all completed ballot must be returned by mail; commercial delivery service is allowed but use of a courier is expressly prohibited, as is return by e-mail or facsimile. Virginia also requires a “Voter’s Declaration/Affirmation” to be signed, dated and witnessed by an adult over 18, without which the “vote may not count.” Two of the counties surveyed confirmed the foregoing procedures, although with respect to voter preferences, one county said “[w]e try to bend over backwards to accommodate” UOCAVA voters, and “[i]f they call, we ask as a courtesy,” and another said that UOCAVA voters “are advised that e-mail will expedite the process.”

In 2014 Virginia passed SB11 which requires the State Board of Elections to develop secure electronic ballot return for UOCAVA voters. The first annual report on the feasability and cost of implementation of such a system is due January 1, 2016. In September 2015, the working group posted a draft report available here.

Washington
According to state regulations, Washington allows all voters to return their voted ballots electronically by email, provided they also return the original hard copy with a signed oath, and the hard copy and oath must be received for the ballot to be counted. However, the first ballot to be received is counted (in almost all cases this will be the electronic ballot) and state regulations forbid comparing the electronic ballot to the paper ballot which means the mailed paper ballot will not and cannot provide a security check in case the electronic ballot had been manipulated in transit.

Washington allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mail or facsimile. If the voter does not express a preference, or if the e-mail address provided does not work, the voter will be mailed the ballot. Military and overseas voters, including non-active reservists, may also return their completed ballots by mail, e- mail or facsimile; unlike other voters, are neither encouraged nor required to return the hard copy. Voting materials provided with military and overseas ballots “must include instructions on how to return the ballot by fax, e-mail, or postal mail, including how to include the ballot privacy sheet between the declaration page and the ballot.”

In 2015, a bill was introduced in the Washington legislature to eliminate the requirement for voters who return a ballot by email to also return a paper ballot. Washington had agreed to participate in the SERVE Project in 2004.

West Virginia
West Virginia allows UOCAVA voters to apply for and receive their blank absentee ballots by mail, e-mail or facsimile. If the voter does not express a preference, election officials will choose the method of transmission. Voters may also return their completed ballots by mail, e-mail or facsimile, but if a voter receives the blank ballot by electronic transmission, the voter is required to return the voted ballot using the same method of transmission, or by mail. Voters who use electronic transmission to receive or return their ballots are required to return their ballots with a signed privacy waiver. In addition, the Secretary of State is required to “enter into an agreement with the Federal Voting Assistance Program . . . to transmit the ballots to the county clerks at a time when two individuals of opposite political parties are available to process the received ballots.” All of the counties surveyed generally confirmed the foregoing, with some exceptions and clarifications. With respect to the voters not expressing a preference as to the method of transmission and election officials choosing one, two counties reported that the county would just mail the ballots, and one added that “it’s the safest method.” With respect to the method of return transmission, one of the counties reported that “so far [it] hasn’t sent any [ballots] by fax” and that “[t]he majority of absentee ballots are by mail.” West Virginia enacted a statute in 2009 to establish a pilot program for Internet voting. In 2010, this pilot project was instituted for the primaries and the general election. Eight counties allowed military and overseas voters to cast their ballots using an uncontrolled transmission channel, electronic ballot return via web application, and e-mail and facsimile.” Security for this connection was provided by requiring voters to use a username and password, and having them send the ballot back through a “military-style encrypted connection,” but otherwise allowing them to vote using any computer.” In the primary 54 web-based votes were cast, and in the general election 125 web-based votes were cast. Statutory requirements for the system included, but were not limited to, requirements that the system “[alert] administrator of suspected efforts at fraud (including repeated guesses of passwords, excessive votes from a single PC); provide for secret balloting while “[providing] no way for anyone (even vendor employees) to determine how an individual voter voted;” and allow third parties to monitor the software while elections are ongoing. According to the Secretary of State, electronic return of ballots through the Internet will not be permitted in 2012.
Wisconsin
Wisconsin allows all absentee voters to apply for blank absentee ballots by mail, e-mail or facsimile, provided that if they apply for the ballot electronically they must return the original signed application with the voted ballot by mail. Wisconsin allows UOCAVA voters to apply for and, “if the elector is a military elector,” receive their blank ballots by e-mail or facsimile in addition to mail. If no preference is selected, the voter will be mailed the ballot. All completed ballots must be returned by mail. All of the counties surveyed confirmed the foregoing, and confirmed in particular that voters who are overseas but not serving in the military cannot receive their ballots electronically. Wisconsin issued a five year plan in 2009 that included calls to study several proposed changes to the way people vote in Wisconsin, including the expansion of voting to mail, phone, and the Internet. The plan notes that many of the proposed changes would need to be approved by the Legislature and Governor, which had not occurred as of the end of 2011.
Wyoming
Wyoming allows all absentee voters to apply for a blank absentee ballot by mail, phone or e- mail, but their blank ballots will be mailed to them and must be returned by mail. Wyoming allows UOCAVA voters to apply for a blank absentee ballot by mail, phone, e- mail or facsimile, but to receive their blank ballots only by mail. The State Election Director reported that all counties are required to send blank ballots to UOCAVA voters by e-mail if requested by the voter in addition to mail. All absentee ballots are required to be returned by mail.


If I Can Shop and Bank Online, Why Can’t I Vote Online?

by David Jefferson, Computer Scientist, Lawrence Livermore National Laboratory 1 ], member, Verified Voting Foundation Board, Board of Directors, California Voter Foundation

There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way. However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable, or just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected.

There is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology in the foreseeable future

Nonetheless, the proponents point to the fact that millions of people regularly bank and shop online every day without apparent problems. They note that an online voting transaction resembles an ecommerce transaction, at least superficially. You connect your browser to the appropriate site, authenticate yourself, make your choices with the mouse, click on a final confirmation button, and you are done! All of the potential attacks alluded to above apply equally to shopping and banking services, so what is the difference? People ask, quite naturally, “If it is safe to do my banking and shopping online, why can’t I vote online?” This is a very fair question, and it deserves a careful, thorough answer because the reasons are not obvious. The answer requires substantial development to explain fully, but in brief, in can be summarized:

1. It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, and more so every day. Essentially all those risks apply equally to online voting transactions.

2. The technical security, privacy, and transparency requirements for voting are structurally different from, and actually much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the voting security and privacy requirements are unique and in tension in a way that has no analog in the ecommerce world.

E-Commerce transactions are not, in fact, “safe”

Why do security experts say that ecommerce transactions are not safe when millions of people do them every day, mostly without problems? The question needs to be refined: “Safe for whom?” and “What degree of safety is required”? E-Commerce transactions may be relatively safe for consumers, but they certainly are not safe for financial institutions or merchants.2 Banks, credit card companies, and online merchants lose billions of dollars a year in online transaction fraud despite huge investments in fraud prevention and recovery. People have the illusion that ecommerce transactions are safe because merchants and banks don’t hold consumers financially responsible for fraudulent transactions that they are the innocent victims of. Instead the businesses absorb and redistribute the losses silently, passing them on in the invisible forms of higher prices, fees, and interest rates. Businesses know that if consumers had to accept those losses personally most online commerce would collapse. Instead, they routinely hide the losses, keeping the magnitude secret so the public is generally unaware. It’s a good business strategy.

There are many techniques for ecommerce fraud that are directly applicable to online voting. A common pattern starts with theft of credentials, e.g. names, account numbers, credit card numbers, passwords, or the answers to personal challenge questions. The theft can be initiated through phishing scams, drive-by malware installation, or other means, and such tricks can just as easily be used to steal online voting credentials as well. Recently a new botnet named Zeus has been in the  news that installs malware on PCs.3 Zeus is specifically designed to wait until you connect to your bank and then it steals your bank password or PIN as you type them into your browser. The botmasters use those credentials to transfer money out of your accounts and to fake your online financial statements to hide the theft (for a while at least). It makes no difference that you have a “secure” connection to your banking site because the malware operates inside your computer and can see and modify everything you type in the clear, before it is encrypted for transmission down the “secure” connection. There are now illicit businesses that help other people set up Zeus botnets, or rent time on a botnet already created.4

Most people, however, are completely unaware of these threats.

Zeus exemplifies what could just as easily happen if online voting becomes widespread. Eventually someone, perhaps a partisan political operative or a foreign intelligence agency, will deploy a similar botnet to infect thousands of voters’ computers and modify their votes invisibly as they are being transmitted. Again, having a “secure” connection to the remote election server will make no difference. There is no effective way to prevent such an attack, and no effective recovery. Banks, online merchants, and high tech companies that do business online have huge security budgets to defend themselves against cyber attacks, and even so they are frequently victimized. If these organizations with such great expertise and capability in computer and network security can be successfully attacked, then no voting system vendor or local election administration has any realistic chance of successfully defending against similar threats.

We have to recognize that the cost to the attacker of conducting a remote online attack has declined drastically over the last few years as various programming templates, libraries, and toolkits for malware production have become widely available. One recent study demonstrated that it was possible to duplicate even very sophisticated attack vectors like Stuxnet, the malware that did great damage to Iranian nuclear facilities, in about two months time for under $20,000. We are now in a very different threat environment than we were even a few years ago.5

What level of security is sufficient to protect elections? The scale of fraud that ecommerce and electoral systems can tolerate are very different. In the ecommerce world if one out of every thousand ecommerce transactions is lost or is fraudulent it is not really a vital concern. Banks, merchants and purchasers routinely deal with online revenue losses over 10 times higher than that,6 and have many tools to deal with the loss. As unjust and frustrating as it may be, no catastrophic global consequence ensues from a small ecommerce fraud rate. Ecommerce markets are relatively robust, i.e. not overly sensitive to small-scale losses. But in the voting world we are all familiar with the cases where, within about one decade, a senator, a governor, and a U.S. president were all elected by margins much smaller than one vote in a thousand. Small changes in vote totals sometimes have very big, even global consequences, and can push a whole city, state or nation in a new direction. Elections outcomes are thus very sensitive to small errors or frauds in a way that ecommerce systems simply are not. Election security is thus a matter of national security, and the security standards have to be designed to reliably prevent, detect, and correct even very small problems and attacks. That level of security and reliability is neither needed nor cost effective for ecommerce systems.

Voting security, privacy, and transparency requirements are structurally different from those for E-Commerce transactions 

The second point of our argument is that the security, secrecy, and transparency requirements for online voting transactions are structurally very different from, and generally much stricter than, those for E-Commerce transactions. The security mechanisms that make ecommerce transactions relatively safe for (consumers at least) are not sufficient to guarantee the safety of online voting.

The first major distinction is that we can at least eventually detect E-Commerce errors and fraud, but we may never even know about online election fraud.7 In the E-Commerce world problems are reliably detected because of such practices as receipts, double entry bookkeeping, and financial audit records kept by both sides of every major transaction. But in the online election world there are no receipts, no double entry bookkeeping, and no meaningful audit trail information. Security experts routinely call for an independent, end-to-end audit trail that can be used to verify that the electronic ballots received by election officials are identical to those the voters sent, and that none were forged, lost, or modified in transit. But the only reliable way to accomplish this with current technology is for voters to send paper copies of their ballots back to their local election officials along with a signed attestation, and for the officials to use those copies in a formal risk limiting audit procedure.8

That would solve most of the security problems associated with online voting (though not the privacy problems). But most advocates of Internet voting oppose such a paper-based audit requirement because the additional burden on voters to mail back paper copies of their ballots and signed attestations is essentially equivalent to sending an ordinary paper absentee ballot. Yet without a meaningful end-to-end audit trail a well-constructed attack may lead to the attackers’ choice of candidates being elected and there may well be no way to know that anything happened at all. Even if there is suspicion of a problem there will be no way to prove or disprove it. And because of ballot secrecy even if there were strong evidence that particular persons cast illegal ballots, or their ballots were tampered with, officials cannot know which ballots to remove from the count. Hence, fraudulent online voting will most often be undetectable and almost certainly uncorrectable even if detected.

Vote fraud is much less manageable than ecommerce fraud. There is no election analog to the natural business practice of “spreading the cost” or “spreading the risk”. There is no way to pass on to other voters the “losses” due to illegal ballots cast by ineligible voters or attackers, or to recover votes changed by malicious software. There is no “insurance” that one can buy to cover those losses. There is just no way to compensate for damage done to an election.

There are several ways in which the security requirements for voting are strictly stronger than those for financial transactions. Eligibility checking is one. In the E-Commerce world essentially anyone including criminals, non-citizens, and minors, is allowed to buy and sell online. Non-human entities, e.g. corporations, government agencies, and estates, are free to engage in E-Commerce transactions as well. And there are usually no residency requirements for E-Commerce transactions. But all such factors play a role in determining eligibility to vote.

Then there is the issue of proxy transactions. In the E-Commerce world you can freely authorize someone else to act as your agent for purchases or funds transfers, or your may authorize others to spend funds from your accounts simply by giving them your credit card number and security code, and/or your PIN or password. By doing so you take responsibility for the consequent risk. For larger transactions you can accomplish the same thing by setting up a joint bank account, signing a contract, appointing a trustee or guardian, giving power of attorney, etc. But in the voting world you are never permitted to transfer your right to vote to anyone else, at least not in the U.S. No one is legally allowed to act as your proxy to vote for you, not even your spouse, and not even with your written permission.

The prohibition of double voting is a third election security requirement that has no analog in the E-Commerce world. A person is free to engage in as many E-Commerce transactions as he pleases but the rule of one person, one vote is fundamental. The double vote check is actually complex because it has to cover not just voting a second time online (which is easy to prevent), but also voting a second time by paper absentee ballot or in person at the polls.

Because of the need for eligibility checking, proxy vote prevention, and double vote prevention we are required to verify the actual identity of voters. In contrast for an E-Commerce transaction we only have to verify that the person doing the transaction is authorized to use a suitable financial account, which is a much lower requirement. We need a strong identity verification procedure for online voting because if an attacker can figure out how to cast one illegal vote online through a weakness in the identity verification, then he can probably automate that attack to allow thousands of phony votes to be recorded. But reliably verifying the actual identity of a potential voter remotely through the Internet is a difficult and unsolved problem in the U.S. The U.S. does not issue national identity cards with private keys embedded in them, and even if it did today’s computers and mobile devices are not equipped with devices to read them securely. Nor do election jurisdictions keep a database of faces, fingerprints, or other biometric data about registered voters, and once again even if they did computers today are not equipped to read and transmit them securely. It is not sufficient for the voter to just present a PIN number or password or the answer to a challenge question (e.g. “What city were you born in?”). Any such data might be given away, guessed, stolen, or sold, and thus does not constitute sufficient proof of identity because the danger of automated online buying and selling or stealing of such voting credentials is a major concern.

In most states voters prove their eligibility to vote when they register and then provide an ink signature sample for use later in authenticating the voter. Voters prove their identity when they vote, either at the polls or via paper absentee ballot, by duplicating that ink signature on record. Some states are now going further and requiring voters to provide photo ID documents at the time of voting. But we cannot get a wet ink signature from a voter through the Internet to compare against the registration records, nor can the voter present his or her face along with a matching photo ID or passport. As of now there is no reliable infrastructure in place to verify over the Internet the actual identity of a person sitting at a PC or holding a mobile device.

There is no comparable requirement for ecommerce transactions. No real proof of identity is required. All that is really required to do an online transfer of funds out of your bank account is knowledge of the name, account number, and password or pin associated with the account, but there is no check of the actual identity of the person doing the transaction. Or, as another example, consider that when you sign up for an ecommerce account, e.g. at Amazon.com, they ask for your name and address, but they do not ask for a picture, or an ink signature, or your driver’s license, or passport or other proof of identity. They never really check those, and they have no way to do so. After creating an Amazon account all that is really required to make a purchase is reasonable evidence that you are in possession of some (any!) valid credit card, usually demonstrated by giving the name on the card, and the account number, security code, expiration date, and password or pin. If those numbers are validated by the credit card company and the account is not over its limit then the transaction is allowed. If the credit card turns out later to have been stolen, the problem will be sorted out after the fact.

The privacy requirements for ecommerce and voting transactions are also fundamentally different. An ecommerce transaction is generally symmetric between buyer and seller, with both parties in theory fully aware of all the details of what is being bought and sold, for what price, with what warranties, and who has what rights to void the transaction, etc. For larger transactions there is usually an exchange of official paper receipts with names, dates, prices, conditions, and other transaction details so that in case of a dispute either the buyer or seller can prove to a third party (e.g. a court) exactly what the transaction was supposed to be so the dispute can be resolved.

But it cannot be the same with voting transactions. While the voter of course knows the details of his votes, election officials must not. Officials know the names of those who voted, and the contents of the cast ballots, but they are never supposed to know exactly who cast which ballot. This is a requirement for information suppression, a partial blindness on the part of one side in the transaction that has no analog in the E-Commerce world. Furthermore, although each voter knows how he personally voted and is free to tell anyone, he is not allowed to have any proof of how he voted that could convince a third party. This is the most powerful protection we have against the threat of vote selling and vote coercion, and is unique to voting. I know of no other security situation in which people are completely free to disclose a fact that they know (how they voted), but are not permitted to have any proof of that fact that can convince someone else that they are telling the truth. In tis respect voting privacy requirements are almost the opposite of E-Commerce privacy expectations in which both sides generally insist on possessing proof of the details of a transaction.

The unusual vote privacy rules have strong consequences that we cannot avoid. As noted earlier, if for some reason officials learn after the fact that a particular person has succeeded in casting an illegal ballot there is no way to find it to remove it from the count. In the U.S. and most other countries once a voting transaction is complete it cannot be undone even in principle because the information needed has been deliberately lost. In that sense a voting transaction is irreversible. In the E-Commerce world, however, we go to some lengths to make sure most transactions are reversible in case it is found to be erroneous or fraudulent, or if goods are damaged, or sometimes even if one party simply has second thoughts. Money and merchandise can be returned, and records can be corrected. For that reason people feel free to take prudent risks with online financial transactions based on the reputation of the merchant or the credit history of the buyer. But there is no concept of “reputation” or “credit worthiness” in the election world to help manage risk. These differing vulnerabilities to failures and fraud lead to very different security approaches in online transaction software. For election security there is a very strong imperative for up front, absolute prevention of errors and fraud. For ecommerce there is usually much reduced need for strong security barriers up front because problems can usually be corrected later.The flip side of privacy is openness or transparency. Once again, the requirements are completely different for E-Commerce and for online voting. In the ecommerce world a person buying something online is entitled to know everything about his particular transaction, but nothing about other people’s transactions. A buyer is not entitled to know how many other transactions there are, what the merchant’s revenues or profits are, who else the merchant sells to, or what price others pay for the same goods or services, and he has no right to audit the books of the merchant he is dealing with.

In the voting world, however, most of this is reversed. Complete election information is (or should be) open to all. Election officials report not just the names of the winners, but also exactly how many votes were cast and how many each candidate received down to the precinct level. The list of exactly who voted is also usually public, and in some jurisdictions so are the original ballot images. In principle all information bearing on the outcome of an election that does not compromise vote privacy is (or should be) public. Candidates, parties, and the public are entitled to participate in open audits, challenges, and recounts so that everyone, especially losing candidates, can be satisfied that the election was conducted according to law and the votes were counted accurately. Election officials are thus accountable to candidates and voters for the integrity of every relevant detail of an election, whereas merchants are usually accountable only to buyers, and then only for each buyer’s own transactions.

The pattern of motivation for fraud is profoundly different between the commercial and electoral worlds. In an E-Commerce situation all transactions are essentially independent. A buyer hasno particular incentive to spoil or tamper with another buyer’s online purchase since two buyers rarely have conflicting interests. In any case the problem would almost certainly be detected and corrected. And it is hard to imagine a motive for another nation to bother messing with many Americans’ E-Commerce transactions. But the situation is completely different with voting transactions. There is a powerful partisan incentive to block or change other people’s votes, especially if it can be done without detection. The motivation to automate that process to affect thousands of online votes is that much greater. Such attacks can be done for tens of thousands of dollars or less, while the monetary value of changing the outcome of an election can be hundreds of millions of dollars or more, and the non-monetary value can be immense as well. With Internet voting the danger is actually much worse because anyone on Earth, including foreign governments, could derive great benefit from tampering with with U.S. elections, especially since it is unlikely they will be caught or brought to justice. Online voting is thus a national security risk in a way that E-Commerce simply is not.

The sum of all of these considerations is simple. The security, privacy, and transparency requirements for online voting are much more complex and stringent than they are for E-Commerce transactions. The acceptability of small losses and the strategies for managing risk are very different between the two. And it is hard to grasp the full implications of the fact that online elections might be compromised and the wrong people elected via silent, remote, automated vote manipulation that
leaves no audit trail and no evidence for election officials or anyone else to even detect the problem, let alone fix it. These ultimately are the reasons we cannot provide satisfactory security for online voting even though we can for online commerce.


What About Email and Fax?

In recent years many States have begun to allow military and overseas voters to cast ballots by fax or as email attachments. Neither the Internet itself, nor voters’ computers, nor the email vote collection servers are secure against any of a hundred different cyber attacks that might be launched by anyone in the world from a self-aggrandizing loner to a foreign intelligence agency. Such an attack might allow automated and undetectable modification or loss of any or all of the votes transmitted. While all Internet voting systems are vulnerable to such attacks and thus should be unacceptable to anyone, email voting is by far the worst Internet voting choice from a national security point of view since it is the easiest to attack in the largest number of different ways.

The computer security research community in the U.S. is essentially unanimous in its condemnation of any currently feasible form of Internet voting, but most especially of email voting. Verified Voting strongly urges legislators in states considering e-mail voting to request testimony from other independent computer network security experts who are not affiliated with or paid by any voting system vendor. Email voting is extremely dangerous in ways that people without strong technical background are not likely to anticipate.

Problems with the E-mail transmission of Voted Ballots

1. Lack of privacy: Emailed ballots are always transmitted essentially in the clear, never encrypted. (The exceptions to this generalization do not apply to email carrying ballots. The reasons for this are technical, but they will not change in the foreseeable future.) Most state statutes that allow email voting bill explicitly recognizes that it is impossible to guarantee vote privacy with email voting, and require voters, if they choose email their voted ballots to their election officials, to sign an affidavit waiving the anonymity of their votes. It is common for national intelligence agencies (including our own) to collect and store all email that crosses national boundaries, and that would include emailed ballots along with the names of the voters and related information. Also, many voters (including military voters) get their email service through their employers who legally reserve the right to inspect all incoming and outgoing email.  So voters should be aware that their votes are not guaranteed to be private, and in many cases they are almost guaranteed not to be private.

2. Vote manipulation while in transit: –That email is not encrypted does not just compromise voter privacy. Without encryption, emailed ballots can be easily modified or manipulated en masse while in transit from the voter to the local election officials.  Email is transmitted from router to router, and from forwarding agent to forwarding agent along the transmission path, through infrastructure that belongs to various corporations and national governments.  It is trivial for any IT person who controls one of these routers or forwarding agents to filter, out of the vast stream of email, exactly those emailed ballots addressed for a chosen set of election email servers (such as county servers in one or more states that are of interest to the attacker), and then to automate a process to either discard ballots that contain votes she does not like, or replace them with forged ballots that she likes better, all the while keeping the voter’s signed waiver and envelope attachments intact.  Such malicious activity would only result in a transmission delay on the order of one second or so. This is anything but difficult.  There are thousands of people in the U.S. who have the skill and are in a position to do this easily for at least some ballots, and vastly more in other countries.  Unless all of the received ballots are made public on a web site associated with the names of the voters who cast them there would be absolutely no way to detect this on-the-fly ballot manipulation.  Neither the voter nor election officials would be able to notice any irregularity.

3. Server penetration attacks: Even in the ideal and highly unlikely instance that e-mailed ballots are strongly encrypted in transit from the voter to the election official; anyone in the world can mount a remote attack on the server collecting emailed votes.  If the attackers are competent and determined there is essentially no chance that they will fail (despite the common overconfidence of the IT staffs running servers).  Every major high tech company in the US, and most government agencies have been victims of such attacks, including RSA, Google, and the White House.  These are organizations with security expertise and infrastructure dwarfing that of any voting system vendor or election administrator.  Just last October the Washington, D.C. Board of Elections and Ethics (BOEE) was forced to cancel its planned November Internet election because security researchers proved that they could easily penetrate the BOEE network while sitting at the University of Michigan.  They were able to take complete control of all the voted ballots and replace them all with phony ones.   University of Michigan Prof. Alex Halderman, who led the team of researchers that conducted the  DC hack, has published a concise account of the DC hack.

4. Ballot files can carry malware into the election network: Most state legislation enabling email voting does not specify what types of files the emailed ballots, and waivers must be.  But for various reasons vendors and election officials almost always opt to allow PDF (Portable Document Format, by Adobe).  Most people are familiar with this file type, of course, but it is not widely known to the general public that PDF has one of the longest security rap sheets of any document type.  In particular, innocent looking PDF files are able to carry very dangerous malware that can open a backdoor to remote control of the election network.  Once the vendor or local election officials set up a server to receive email ballots they are opening themselves up to a PDF attack that anyone on Earth can launch by sending a specially constructed PDF “ballot” that is infected with malware.  Once the ballot is opened the malware instantly does its work.  There are ways to partially ameliorate this vulnerability (but only partly).  However, even partial ameliorations greatly increase the development cost and operational complexity of the vote collection infrastructure.

5. Voters’ computers infected with malware: As if the unacceptable and largely immitigable risks described above were not enough to discredit email balloting, we have not yet addressed one of the most certain sources of malware: the voters’ own computers.  As most users of the Internet are now aware, our personal computers are routinely infected with malware from all over the world.  If email voting becomes common I would fully expect that some enterprising malware designer will decide to create and spread and sell (!) a malware module that sits silently on a voter’s computer doing nothing at all until he sends an email to one of the particular addresses that is used to collect  ballots, at which point it will modify the To: address just as the email leaves the computer to send the ballot to the malware-designer’s own shop for inspection and modification before forwarding it on to election officials at home.  Again, I implore election administrators and lawmakers to reject assurances that such an attack is hard.  It takes a little more skill than some of the other attacks, but it is much harder to detect and prevent than the attacks on vote servers, and is well within the competence level of the attackers who carried out the Google hack and numerous other attacks against highly protected corporate and government computer networks, If I were a cyber attacker in a country that is a U.S. rival I would use an attack like this (among others).

6. Denial of service attacks: Email can be subject to denial of service attacks.  It is easy, for example, to have a million emails sent to the voting email address, vastly swamping the relatively small number of legitimate ballots that a jurisdiction might expect and possibly crashing its server or overloading its routers.  Anyone who owns or rents a large botnet (a collection of infected PCs controlled by one criminal or organization) can do this in minutes from the safety of overseas locations that are untraceable and out of reach of U.S. law.  This might be just a huge nuisance attack.  But if it lasts for the final hours of Election Day, the emailed ballots arriving during those hours will be delayed until it is too late to count them (as specifically mentioned in this bill) and thousands of voters can be disenfranchised.  (A related denial of service attack happened in a Canadian election in 2003.  Today it would be much easier to launch a much larger attack.)

7. Email ballots are unauditable; attacks are undetectable and irreparable: Email ballots, like those cast on paperless electronic voting machines in polling places, are completely unauditable in any meaningful way.  There is no way, even in principle, to verify that the electronic ballot that arrives at the election server is the same as the one the voter intended to send.  The above attacks (except for denial of service) are likely to be completely undetectable.  The wrong persons might be elected, the wrong initiatives passed or rejected, and no one would ever know. Even if some attacks were somehow detected, there is no way to know whose votes were modified or discardedso there is no way to repair the damage!

8. Multiple simultaneous attacks: Like all other forms of Internet voting, email elections need not be attacked by just one person or organization at a time.  Multiple independent attacks by people who may not even be aware of each other could be simultaneously directed at the same email election from anywhere in the world.  This make effective defense, already essentially hopeless, even more difficult

9. These facts will not change: These vulnerabilities are facts about email voting.  They are fundamentally built in to the architecture of email, of the Internet itself, and of the PCs and mobile devices that people vote from, and are not going to change for as far ahead into the future as anyone can see.  Anyone’s security claims to the contrary should be treated with extreme skepticism.  No amount of encryption (even if it were used for some parts of the voting infrastructure), no amount of firewalling, no use of strong passwords or two factor authentication, no amount of voter signature checking, and no other security tricks of the trade are sufficient to materially change these facts.

Similar problems with FAX voting

The issues raised above security concerns specifically addressed email voting, but almost identical considerations apply to FAX voting. While FAX and email seem superficially different, they are in fact very similar from a security point of view.  Faxes are sent unencrypted; they are forwarded from switch to switch within the telephony infrastructure of many private and national corporations; they are subject to absolutely trivial denial of service attacks. The similarity is so great that there is a FAX analog for every one of the email vulnerabilities listed above.  Moreover, with the increasing popularity of Web-based services such as eFax, FAX is increasingly a Web-based, rather than a telephony-based, process, rendering distinctions between FAX and email voting less relevant each year.

The move toward Internet distribution of blank ballots

It is clear that overseas and military voters experience barriers that are largely associated with mail delays. While there are a number of cyber security issues regarding the electronic transmission of blank ballots to voters via the Internet, those issues are much more manageable than those for the electronic return of voted ballots.  I suggest that election officials and lawmakers consider a program to reduce overseas mail delays by allowing voters to download blank ballots from a web server, then print them, mark them, and mail them back to local election officials. Such a process will eliminate at least one transoceanic mail delay and also eliminate the need to have accurate addresses for military on the move in the field.  It will go a long way to relieving the problems of overseas voters without endangering the security of the entire election.

For these reasons Verified Voting strongly urges states that do not currently provide for email voting not to start down that path. In my professional opinion this path leads only to a major risk to U.S. national security, exposing our elections to easy manipulation by anyone in the world.

David Jefferson is a computer scientist and researcher at Lawrence Livermore National Laboratory in California where he studies cyber security and ways to protect the nation’s military, civilian, and government networks from cyber attack.  He is also the Chairman of the Board ofVerified Voting, and has been studying electronic and Internet voting for over a decade, advising five successive California Secretaries of State on voting technology issues.



Legislation

The most important aspect of a voting system, with respect to accuracy, integrity and security, is whether or not it is independently auditable. That is, the very prerequisite to accuracy, integrity and security in today’s voting technology is that there be a voter-marked paper ballot, or at least a voter-verifiable paper audit trail (VVPAT), for every vote cast. This ensures that election officials will have something they can use to confirm whether or not the electronic tallies produced by the voting system accurately reflected the intention of the voters.

Computerized voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering. It is therefore crucial that voting equipment provide or require the use of a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked. Many of the Direct Recording Electronic (DRE) systems used in the US do not satisfy this requirement. Requirements for VVPAT have been established in a majority of states through legislation or through executive. Several States, while not formally requiring VVPAT, have nevertheless chosen to employ paper ballot systems voting systems. Three States (Maryland, New Jersey, and Tennessee) have enacted laws requiring VVPAT but have delayed implementation. (Click to enlarge the map above to see what states have passed requirements for a voter verified record. The relevant legislation in each State can be viewed on the right.)

The two most commonly used forms of these independent records are paper ballots, which are filled out by the voter (“voter-marked”) either manually or through the use of an assistive interface known as a ballot marking device, and can be tallied by a scanner or counted by hand, and VVPATs, which are contemporaneously printed by DRE voting machines. Sighted voters who use DRE voting machines with paper trails have the opportunity to review a paper record of their vote before casting it. Voter-marked paper ballots and VVPATs should be treated as the vote of record in all counts, audits and recounts where practicable. If DRE systems remain in use, they should not be used without a VVPAT printer, guidance to ensure that voters check the paper records for accuracy when voting; and sufficient emergency paper ballots on hand in case of machine failures or malfunctions. Sixteen states use DRE voting machines without a software independent voter-verifiable paper record as the standard polling place equipment in some or all counties. In these states, there is a risk that vote totals could be corrupted or lost, disenfranchising voters.1

Paper Ballots or VVPAT?

Voter-Marked Paper Ballots offer superior records for the following reasons:

Paper ballots provide better audit and recount records. While no voting system is perfect, the authors believe that paper ballots marked manually by the voter or through the use of an assistive ballot marking device can create superior records to be used in audits and recounts. When a voter manually marks a ballot, he or she tends to check it in the process of marking it. When a voter marks a ballot using an assistive ballot marking device, that device enables the printed marked ballot to be reviewed through audio readout, by re-inserting the ballot into the device. In contrast, if the DRE prints a VVPAT, it only becomes “voter verified” if the voter knows –and takes the time– to check it.

Most currently available VVPATs are small, usually viewable through a small window on the voting machine, and the font in which they are printed is also small. This makes them much harder to read than a full size ballot, decreasing the likelihood that all voters will confirm them. That compromises the value of VVPATs as audit records as compared to voter-marked paper ballots. In addition, paper ballots must be sturdy enough to be fed through a scanner and are therefore generally more durable than, for example, standard copier paper. That makes them easy to handle and unlikely to be damaged during even multiple hand-counted audits and recounts. In contrast, the VVPATs currently in use are less durable than standard copier paper, more fragile, subject to loss of data if exposed to heat, and more difficult to handle during a hand-count audit, because they are generally printed on thin paper similar to that used to print receipts from ATMs or cash registers. This further compromises their value as audit records as compared to voter-marked paper ballots.

VVPATs are not accessible audit records, while paper ballots marked by accessible ballot marking devices can be. With a VVPAT-equipped DRE, only the DRE itself is accessible to voters with disabilities; currently systems do not provide audio read-back of the printed record for voters with limited or no vision. Some voters with limited or no vision can currently verify a paper record through the use of assistive ballot marking technology, which enables audio readback of the voter’s choices from the printed and marked ballot. 

Software Independence in Voting Systems

“A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome.”

In response to the concern that software errors in voting machines could result in inaccurate readings of votes, or votes being lost entirely, the Technical Guidelines Development Committee of the Election Assistance Commission recommended new standards (although this proposal has not yet been adopted) for future voting systems that would require voting systems to produce a voter-verifiable voting record that is independent of the software. A voting system that is not software-independent is said to be software-dependent it is, in some sense, vulnerable to undetected programming errors, malicious code, or software manipulation, thus the correctness of the election results are dependent on the correctness of the software. In terms of currently available voting technology, when there are no voter marked paper ballots or voter verified paper records of the vote, systems are considered “software dependent” and therefore not independently auditable.

The history of computing systems is that, given improvements and breakthroughs in technology and speed, software is able to do more and thus its complexity increases. The ability to prove the correctness of software diminishes rapidly as the software becomes more complex. It would eff ectively be impossible to adequately test future (and current) voting systems for aws and introduced fraud, and thus these systems would always remain suspect in their ability to provide secure and accurate elections. A software-independent approach to voting systems will provide voters with an assurance that errors or fraud in election results can reliably be detected. (Ronald L. Rivest and John P. Wack, On the notion of “software-independence” in voting systems, 2008)

The Verified Voting Resolution on Electronic Voting

In 2003, Verified Voting founder David Dill began circulating the Resolution on Electronic Voting, a petition now signed by thousands of computer science professionals, attorneys, politicians, voting rights experts, and citizens. The cornerstone of this campaign was a demand that all direct-recording electronic voting machines be equipped with a voter-veried paper trail.

The resolution reads: As a result of problems with elections in recent years, funding is being made available at all levels of government to upgrade election equipment. Unfortunately, some of the equipment being purchased, while superficially attractive to both voters and election officials, poses unacceptable risks to election integrity – risks of which election officials and the general public are largely unaware. We are in favor of the use of technology to solve difficult problems, but we know that technology must be used appropriately, with due attention to associated risks. For those who need to upgrade, there are safe, cost-effective alternatives available right now, and the potential for vastly better ones in the future. For these reasons, we endorse the following resolution:

“Computerized voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering. It is therefore crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked. Many of the electronic voting machines being purchased do not satisfy this requirement. Voting machines should not be purchased or used unless they provide a voter-verifiable audit trail; when such machines are already in use, they should be replaced or modified to provide a voter-verifiable audit trail. Providing a voter-verifiable audit trail should be one of the essential requirements for certification of new voting systems.”

Read More About The Resolution on Electronic Voting

Federal Legislation

The Help America Vote Act of 2002

While several legislative proposal were introduced after the 2000 Election, it was only after problems with the new touch-screen voting machines in Miami-Dade County in the 2002 Florida Primary that Congress passed the Help America Vote Act of 2002 (HAVA.) This act provided a huge infusion of cash so that states could buy new voting equipment and to update voter registration databases. Many states moved quickly to purchase high-tech electronic voting systems, buoyed by the assurance that they were accurate, accessible, reliable, and secure.

Unfortunately, these assurances turned out to be overly optimistic at best, and misleading at worst. In their eagerness to have the most modern and best election equipment, and to take advantage of almost $4 billion in federal funding, well meaning election officials were quick to accept the claims of voting system vendors. Few questions were asked about crucial issues. How secure and accurate are these machines? How easy are they to use? How could an election audit or recount be conducted? There was little or no consultation with independent technical experts on these questions, and remarkably little scientific research. The implicit assumption appears to have been that no recount would ever be needed, because the new systems were so completely secure and reliable that there would no longer be any reason to challenge an election result.

HAVA also created the Federal Election Assistance Commission (EAC) to oversee both the disbursement of federal funds and the development of new voting machine standards. However, the rst EAC Commissioners were not appointed until December 2003. The EAC had insucient funds to properly oversee the disbursement of $1.495 billion allocated in fiscal year 2003 to buy voting systems, a matter of great concern to EAC Chair, DeForest Soaries. The Technical Guidelines Development Committee, charged by HAVA with writing new voluntary voting system standards, was not even empaneled until June 2004. Meanwhile, states were supposed to have replaced their voting systems by the November 2004 elections, or January 2006 at the latest.

Instead of the promised major reform, HAVA engendered new kinds of election problems. Although DREs had been in use since the 1980s, an unrealistically short deadline, together with a lack of reasonable standards, triggered a massive deployment of faulty, flawed, and expensive equipment. This deployment has led to security and integrity crises for which there are no clear-cut legal remedies.

The Voter Confidence and Increased Accessibility Act

On May 22, 2003, Rep. Rush Holt (D-NJ) introduced The Voter Confidence and Increased Accessibility Act of 2003 (H.R. 2239) which called for a) a voter-verified paper record suitable for a manual audit, b) no undisclosed software, and c) manual mandatory random audits of the voter-veried paper records for federal elections in 0.5% of each state’s jurisdictions. Had the bill passed, paper records and audits would have been required for the November 2004 election, and verifiable voting systems would have been made available for voters with disabilities by January 1, 2006, earlier than mandated by HAVA. While generating considerable support and serving as a model for legislation in several States, HR 2239 was never scheduled for Committee action or a floor vote.

In early February 2005 Holt introduced a second version of his bill. H.R. 550 would have taken effect in time for the next Federal election, which would have been the November 2006 mid-term elections. The legislation also required a voter-veried paper record and random manual audits|this time in 2% of all jurisdictions. It again prohibited the use of undisclosed software, wireless communications devices in voting systems, and voting machine components connected to the Internet. The most substantial dierences between H.R. 2239 and H.R. 550 were in the audit section, which grew from one paragraph to more than six pages. The new audit material was in direct response to the manner in which the 2004 Ohio recount was conducted. Like HR 2239 was never brought to a Committee or floor vote.

Holt introduced a third version of his bill, H.R. 811, in February 2007. A companion bill, S. 559, was introduced in the Senate by Sen. Bill Nelson (D-FL). Like its predecessors, H.R. 811 called for random manual audits, as well as the public disclosure of voting system software and a ban on Internet connections for voting machine components. Also like its predecessors, the bill was vetted with computer security experts and voting integrity and disability activist groups, as well as election officials. H.R. 811 mandated voter-verified paper ballots, instead of records.

Responding to the problems in Cuyahoga County, Ohio in May 2006, where 10% of the paper printout-outs from new DRE machines were lost, damaged or otherwise compromised, the bill required paper ballots to be “durable,” i.e. capable of withstanding multiple recounts by hand. Because of concerns that ballot marking devices might create problems for voters with mobility impairment, the bill called for the entire process of ballot verification and vote casting to be equipped for individuals with disabilities. Based on recommendations from the Brennan Center, the strengthened auditing provisions included a “tiered” system to reflect the closeness of announced election results. The bill also required audits to be publicly observable. H.R. 811 was marked up by the committee of jurisdiction, but was not voted on by the House.

H.R. 2894, introduced by Holt in June, 2009, was based on the mark-up version of H.R. 811. H.R. 2894 required voter-marked or ballot-marking device paper ballots for the November 2010 elections, made the paper ballot the vote of record (as had all earlier versions), mandated the same tiered audits as H.R. 811, and banned wireless devices, Internet connections, and uncertified and undisclosed software in voting and tabulating machines. The ballot marking requirements would have banned DREs. Sen. Nelson again introduced a Senate companion bill, S. 1431. Although supported by the broadest range of organizations of any version of the bill (including the American Council of the Blind, the Advancement Project, the Brennan Center, Common Cause, the Electronic Frontier Foundation, Voter Action, and Veried Voting), and endorsed in a New York Times editorial, the bill received no committee action and no floor vote.

Paper Ballot/VVPAT Requirements
State by State

Alabama has not established a statutory requirement for permanent voter verifiable ballot or record. However, the State currently uses precinct count paper ballot optical scan systems together with ballot-marking devices to assist voter with disabilities in every county.

Alaska
Bill Number:  HB 459 (full text)
Relevant Election Code: Alaska Code §§15.15.030, 15.15.032, 15.20.064, and 15.60.010 / Chapter 154 SLA 04
Enacted: July 7, 2004 (House vote 35-0; Senate Vote 18-0)
VVPAT Language: Sec. 3. AS 15.15 is amended by adding a new section to read: Sec. 15.15.032. Use of electronically generated ballots.
(a) If the director provides for voting by use of electronically generated ballots, the director shall provide balloting equipment that would allow voters with disabilities, including those who are blind or visually impaired, to cast private, independent, and verifiable ballots. The director may not provide for more than one machine that produces electronically generated ballots in a precinct or in a regional supervisor’s office, except where the director determines that additional machines are needed to accommodate the needs of individuals with disabilities, including individuals with physical limitations or visual impairments.
(b) Software for voting by use of electronically generated ballots shall be tested and certified under AS 15.20.900.
(c) The director shall provide for a paper record of each electronically generated ballot that can be
(1) reviewed and corrected by the voter at the time the vote is cast; and
(2) used for a recount of the votes cast at an election in which electronically generated ballots were used.

Arizona
Number: SB 1517 (full text)
Relevant Election Code: ARS §§16-411, 16-445, 16-446, 16-535, 16-602, 16-663 Chapter 44 §8 SL 2006
Enacted: June 28, 2006 (House vote 51-0; Senate Vote 25-3)
VVPAT Language:  Sec. 3. Section 16-446, Arizona Revised Statutes, is amended to read:
16-446. Specifications of electronic voting system
A.  An electronic voting system consisting of a voting or marking device in combination with vote tabulating equipment shall provide facilities for voting for candidates at both primary and general elections.
B.  An electronic voting system shall:

7. provide a durable paper document or ballot that visually indicates the voter’s selections, that the voter may use to verify the voter’s choice, that may be spoiled by the voter if it fails to reflect the voter’s choices and that permits the voter to cast a news ballot. This paper document shall be used in audits and recounts.

Arkansas
Bill Number: HB 1360
 (full text– pdf)
Relevant Election Code: AR Code §§7-5-504, 7-5-532 / Act 654, 2005 Regular Session
Enacted: March 9, 2005 (House vote 79-6; Senate Vote 34-0)
VVPAT Language: SECTION 2. Arkansas Code Title 7, Chapter 5 is amended to add an additional section to read as follows:
7-5-532. Direct read electronic voting machines.
(a) For purposes of this section:
(1) “Direct electronic voting machine” means a voting machine that:
(A) Records votes by means of a ballot display provided with mechanical or electo-optical components that may be actuated by the voter;
(B) Process the data by means of a computer program;
(C) Records voting data and ballot images in internal or external memory components; and
(D) Produces a tabulation of the voting data stored in a removable memory component and in printed copy; and
(2) “Voter verified paper audit trail” means a contemporaneous paper record of a ballot printed for the voter to confirm his or her votes before the voter casts his or her ballot.
(b) The State Board of Election Commissioners or the county board of election commissioners shall not purchase or procure a direct recording electronic voting machine that does not include a voter verified paper audit trail.
(c)(1) All direct recording electronic voting machines in use on or after January 1, 2006 shall include a voter verified paper audit trail, except for those direct recording electronic voting machines in use during the 2004 general election.
(2) All direct recording electronic voting machines purchased on or after the effective date of this section shall include a voter verified paper audit trail.
(d) A direct read electronic voting machine with a voter verified paper audit trail shall meet the following conditions:
(1) The voter verified paper audit trail shall be verified by the voter before the casting of the voter’s ballot;
(2) The voter verified paper audit trail shall not be retained by the voter;
(3) The voter verified paper audit trail shall not contain individual voter information;
(4) The paper used in producing the voter verified paper audit trail shall be sturdy, clean, and resistant to degradation; and
(5) The voter verified paper audit trail shall be readable in a manner that makes the voter’s ballot choices obvious to the voter without the use of computer or electronic code.
(e)(1) For any recount of an election in which ballots are cast using a direct recording electronic voting machine with a voter verified paper audit trail, the voter verified paper audit trail shall serve as the official ballot to be recounted.
(2) Voter verified paper audit trails shall be preserved in the same manner and for the same time period as ballots and certificates are preserved under § 7-5-702.

California
Bill Number: SB 1438 (full text)
Relevant Election Code: California Election Code §§ 19250, 19251, 19252 / Chapter 814, Statutes of 2004
Enacted: September 27, 2004 (House vote 73-0; Senate Vote 31-0)
VVPAT Language: SECTION 1. Article 4 (commencing with Section 19250) is added to Chapter 3 of Division 19 of the Elections Code, to read:
Article 4. Direct Recording Electronic Voting Systems
19250. (a) On and after January 1, 2005, the Secretary of State may not approve a direct recording electronic voting system unless the system has received federal qualification and includes an accessible voter verified paper audit trail.
(b) On and after January 1, 2006, a city or county may not contract for or purchase a direct recording electronic voting system unless the system has received federal qualification and includes an accessible voter verified paper audit trail.
(c) As of January 1, 2006, all direct recording electronic voting systems in use on that date, regardless of when contracted for or purchased, shall have received federal qualification and include an accessible voter verified paper audit trail. If the direct recording electronic voting system does not already include an accessible voter verified paper audit trail, the system shall be replaced or modified to include an accessible voter verified paper audit trail.
19251. For purposes of this article, the following terms shall have the following meanings:
(a) “Accessible” means that the information provided on the paper record copy from the voter verified paper audit trail mechanism is provided or conveyed to voters via both a visual and a nonvisual method, such as through an audio component.
(b) “Direct recording electronic voting system” means a voting system that records a vote electronically and does not require or permit the voter to record his or her vote directly onto a tangible ballot.
(c) “Voter verified paper audit trail” means a component of a direct recording electronic voting system that prints a contemporaneous paper record copy of each electronic ballot and allows each voter to confirm his or her selections before the voter casts his or her ballot.
(d) “Federal qualification” means the system has been certified, if applicable, by means of qualification testing by a Nationally Recognized Test Laboratory and has met or exceeded the minimum requirements set forth in the Performance and Text Standards for Punch Card, Mark Sense, and Direct Recording Electronic Voting Systems, or in any successor voluntary standard document, developed and promulgated by the Federal Election Commission, the Election Assistance Commission, or the National Institute of Standards and Technology.
(e) “Paper record copy” means an auditable document printed by a voter verified paper audit trail component that corresponds to the voter’s electronic vote and lists the contests on the ballot and the voter’s selections for those contests. A paper record copy is not a ballot.

Colorado
Bill Number: SB 05-198 
(full text)
Relevant Election Code: CO Revised Statutes §§1-1-104, 1-5-801, 1-5-802, 1-7-514, 1-10.5-102, 1-10.5-103 / Chapter 309, SL 2005
Enacted: June 6, 2005
VVPAT Language:  PART 8 VOTER-VERIFIED PAPER RECORD
1-5-801.  Acquisition of voting systems – voter-verified paper record. (1)  On and after the effective date of this section, a political subdivision shall not acquire a voting system unless the voting system is capable of producing a voter-verified paper record of each elector’s vote.
(2)  A political subdivision shall not acquire a voting device that has been retrofitted to comply with this part 8 unless the voting device has been certified by an independent testing authority and the secretary of state.
1-5-802.  Use of voting systems – voter-verified paper record.
(1)  In addition to the other requirements of this article, the voting system used in each primary, general, coordinated, or congressional district vacancy election held in the state on and after January 1, 2010, shall have the capability to produce a voter-verifiable paper record of each elector’s vote. Before an elector’s vote is cast, the elector shall have the opportunity, in private and without assistance, to inspect and verify that the voter-verified paper record correctly reflects the elector’s choices. [This deadline was extended to January 1, 2014 by HB 1335 approved on May 15 2009]
(2)  The requirements of subsection (1) of this section shall apply to each primary, general, coordinated, or congressional district vacancy election conducted by a county clerk and recorder on and after January 1, 2008, if the governing body of the county determines that:
(a)  The technology necessary to comply with the requirements of subsection (1) of this section is available; and
(b) (I)  Sufficient federal or state funds are available to acquire or retrofit voting devices that comply with the requirements of subsection (1) of this section; or
(II)  It is otherwise financially feasible for the county to comply with the requirements of subsection (1) of this section.
(3)  Upon satisfaction by a county of the requirements of this section, the voter-verified paper record of each eligible elector’s vote, whether filled out by hand or produced by a voting machine or ballot marking device, shall be preserved as an election record pursuant to section 1-7-802 and shall constitute an official record of the election.
(4)  No voting device shall be remotely accessed or remotely accessible until after the close of voting and a results total tape has been printed, as applicable.

Connecticut
Bill Number: SB 55 (full text)
Relevant Election Code: Public Act 05-188
Enacted: July 1, 2005
VVPAT Language:  (d) Any direct recording electronic voting machine approved by the Secretary of the State for an election or primary held on or after July 1, 2005, shall be so constructed as to:
(1) (A) Contemporaneously produce an individual, permanent, paper record containing all of the elector’s selections of ballot preferences for candidates and questions or proposals, if any, prior to the elector’s casting a ballot, as set forth in this subsection, and (B) produce at any time after the close of the polls a voting machine generated, individual, permanent, paper record of each such elector’s selections of ballot preferences for candidates and questions or proposals, if any. Both the contemporaneously produced paper record and the voting machine generated paper record of each elector’s selections of ballot preferences shall include a voting machine generated unique identifier that can be matched against each other and which preserves the secrecy of the elector’s ballot as set forth in subdivision (4) of this subsection;
(2) Provide each elector with an opportunity to verify that the contemporaneously produced, individual, permanent, paper record accurately conforms to such elector’s selection of ballot preferences, as reflected on the electronic summary screen, and to hear, if desired, an audio description of such electronic summary screen, for the purpose of having an opportunity to make any corrections or changes prior to casting the ballot. If an elector makes corrections or changes prior to casting the ballot, the voting machine shall void such contemporaneously produced paper record, contemporaneously produce another paper record containing such corrections or changes and provide the elector with another opportunity to verify ballot preferences in accordance with the provisions of this subdivision. As used in this section, “electronic summary screen” means a screen generated by a direct recording electronic voting machine that displays a summary of an elector’s selections of ballot preferences for candidates and questions or proposals, if any, at an election or primary;
(3) Provide that a ballot shall be deemed cast on the voting machine at the time that an elector’s contemporaneously produced, individual, permanent, voter-verified paper record, containing all of the elector’s final selections of ballot preferences, is (A) deposited inside a receptacle designed to store all such paper records produced by such voting machine on the day of the election or primary, and (B) the elector’s selection of ballot preferences is simultaneously electronically recorded inside the voting machine for the purpose of (i) being electronically tabulated immediately after the polls are closed on the day of the election or primary, and (ii) producing, on such other day as required under section 8 of this act, a voting machine generated, individual, permanent, paper record of each such elector’s selections of ballot preferences for candidates and questions or proposals, if any;
(4) Except as otherwise provided in subdivision (1) of section 8 of this act, secure the secrecy of each such elector’s ballot by making it impossible for any other individual to identify the elector in relationship to such elector’s selection of ballot preferences at the time that the elector (A) selects ballot preferences; (B) verifies the accuracy of the electronic summary screen by comparing it to the contemporaneously produced, individual, permanent, paper record or the audio description of such electronic summary screen, prior to casting a ballot; (C) makes corrections or changes by reselecting ballot preferences and verifies the accuracy of such preferences in accordance with the provisions of subdivision (2) of this subsection prior to casting a ballot; and (D) casts the ballot; and at the time that all electors’ ballots are canvassed, recanvassed or otherwise tallied to produce a final count of the vote for candidates and questions or proposals, if any, whether through the electronic vote tabulation process or through the manual count process of each elector’s contemporaneously produced, individual, permanent, voter-verified paper record, as set forth in section 8 of this act; and
(5) (A) Be accessible to blind or visually impaired persons by providing each elector, if desired by the elector, an audio description of the contemporaneously produced individual, permanent, paper record containing all of the elector’s selections of ballot preferences, in addition to an audio description of the electronic summary screen.
(B) Notwithstanding the provisions of subparagraph (A) of this subdivision, the Secretary the State may approve an electronic voting machine that does not comply with the provisions of said subparagraph if (i) the Secretary determines that there are no electronic voting machines available for purchase or lease at the time of such approval that are capable of complying with said subparagraph (A), (ii) the electronic voting machine complies with the provisions of subdivisions (1) to (4), inclusive, of this subsection, and (iii) the person applying to the Secretary for approval of the electronic voting machine agrees to include a provision in any contract for the sale or lease of such voting machines that requires such person, upon notification by the Secretary that modifications to such machines that would bring the machines into compliance said subparagraph (A) are available, to (I) so modify any electronic voting machines previously sold or leased under such contract in order to comply with said subparagraph (A), and (II) provide that any electronic voting machines sold or leased after receipt of such notice comply with said subparagraph (A).

Delaware has not established a statutory requirement for permanent voter verifiable ballot or record.

The District of Columbia has not established a statutory requirement for permanent voter verifiable ballot or record. However, precinct count paper ballot optical scan systems and DREs equipped with voter verified paper audit trail printers are used throughout the District.

Florida
Bill Number: HB 537
 (full text – pdf)
Relevant Election Code: FL Statutes §§101.151, Chapter 2007-30 SL 2007
Enacted: May 21, 2007 (House vote 118-0; Senate Vote 37-2)
VVPAT Language: Section 5. Effective July 1, 2008, subsection (1) of section 101.151, Florida Statutes, is amended to read:

101.56075 Voting methods.—
(1) Except as provided in subsection (2), all voting shall be by marksense ballot utilizing a marking device for the purpose of designating ballot selections.
(2) Persons with disabilities may vote on a voter interface device that meets the voting system accessibility requirements for individuals with disabilities pursuant to section 301 of the federal Help America Vote Act of 2002 and s. 101.56062.
(3) By 2012, persons with disabilities shall vote on a voter interface device that meets the voter accessibility requirements for individuals with disabilities under section 301 of the federal Help America Vote Act of 2002 and s. 101.56062, which are consistent with subsection (1) of this section.

Georgia has not established a requirement for permanent voter verifiable ballot or record.

Hawaii
Bill Number: HB 1740 (full text)
Relevant Election Code: HRS §16-42; Act 200 SL 2005
Enacted: July 6, 2005
VVPAT Language: SECTION 1. Section 16-42, Hawaii Revised Statutes, is amended to read as follows:
§16-42 Electronic voting requirements.

No electronic voting system shall be used in any election unless it generates a paper ballot that may be inspected and corrected by the voter before the vote is cast, and unless every paper ballot is retained as the definitive record of the vote cast.

Idaho
Bill Number: HB 283
 (full text)
Relevant Election Code: HRS §16-42; Act 200 SL 2005
Enacted: April 5, 2005 (House vote 63-0; Senate Vote 34-0)
VVPAT Language:  SECTION 1. That Section 34-2409, Idaho Code, be, and the same is hereby amended to read as follows:

(5) Any voting system, including paper ballots, that was used in the 2004 general election shall be continued to be authorized for use as long as the voting system meets the requirements of the “Help America Vote Act of 2002,” Public Law 107-252.
(6) For all elections conducted after 2004, no direct recording electronic voting device shall be used unless the direct recording electronic voting device has a voter verifiable paper audit trail. Any certifications of a direct recording electronic voting device without a voter verifiable paper audit trail are hereby declared null and void.
(7) The secretary of state may periodically review the various voting systems that have been certified for use in the state to ensure such systems meet the standards set forth by the federal election assistance commission and the national institute of standards and technology. Any voting system that does not meet such standards may be decertified after a public hearing.

Illinois
Bill Number: SB 428 
(full text)
Relevant Election Code: 10 Ill. Comp. Stat. 5/24A-16
Enacted: August 21, 2003
VVPAT Language: Upon completing his or her selection of candidates or public questions, the voter shall signify that voting has been completed by activating the appropriate button, switch or active area of the ballot screen associated with end of voting. Upon activation, the voting system shall record an image of the completed ballot, increment the proper ballot position registers, and shall signify to the voter that the ballot has been cast. Upon activation, the voting system shall also print a permanent paper record of each ballot cast as defined in Section 24C-2 of this Code. This permanent paper record shall either be self-contained within the voting device or shall be deposited by the voter into a secure ballot box. No permanent paper record shall be removed from the polling place except by election officials as authorized by this Article. All permanent paper records shall be preserved and secured by election officials in the same manner as paper ballots and shall be available as an official record for any recount, redundant count, or verification or retabulation of the vote count conducted with respect to any election in which the voting system is used.

Indiana has not established a requirement for permanent voter verifiable ballot or record.

Iowa
Bill Number: SF 639 
(full text)
Relevant Election CodeCode 2007 §52.7 subsection 2
Enacted: May 25, 2007 (House Vote 53-42; Senate Vote 45-5)
VVPAT Language:  (reflecting changes in the code as a result of SF 639) 1.The Except as otherwise provided in subsection 2, the board of supervisors of a county may, by a majority vote, authorize, purchase, and order the use of voting machines or an electronic optical scan voting system in any one or more voting precincts within the county until otherwise ordered by the board of supervisors. Voting machines and an electronic  optical scan voting system may be used concurrently at the same precinct.
2. Notwithstanding any provision to the contrary:
a. On or after the effective date of this Act, a county whose voting system primarily utilizes voting machines, as defined in section 52.1, shall, when seeking to replace the voting system, replace the voting system with an optical scan voting system only. The requirements of the federal Help America Vote Act relating to disabled voters shall be met by a county through the use of electronic ballot marking devices that are compatible with an optical scan voting system.
b. On or after the effective date of this Act, a county that utilizes a voting machine, as defined in section 52.1, and an optical scan voting system concurrently at the same precinct shall, when seeking to replace the voting machine, replace the voting machine with an electronic ballot marking device that is compatible with an optical scan voting system in order to ensure that each precinct in the county shall have at least one electronic ballot marking device.

Kansas has not established a statutory requirement for permanent voter verifiable ballot or record.

Kentucky has not established a statutory requirement for permanent voter verifiable ballot or record.

Louisiana has not established a statutory requirement for permanent voter verifiable ballot or record.

Maine
Bill Number: LD 1759 
(full text)
Relevant Election Code21-A M.R.S. Section 812
Enacted: April 24, 2004
VVPAT Language:  Sec. 5. 21-A MRSA §§831 and 832 are enacted to read:
§831.__Voting machine standards

2. Ballots. All voting machines in the State must produce a physical ballot, equivalent or superior to that of a hand-cast ballot, that unambiguously reflects the intent of the voter and that each voter shall personally review and deliver to an official ballot box. Touch screen voting machines must produce a legible, large-print ballot for verification by each voter of that voter’s electoral choices before it is placed in the official ballot box. Each such ballot must also identify the individual machine that produced it while not identifying the voter.
A. Ballots may be an optional feature only of machines dedicated to accommodate the needs of sight-impaired voters or other voters with disabilities for whom wardens determine usage of ballot-free voting is appropriate. The option of using a ballot-free function on a touch screen machine may be executed only by a warden on duty at an individual voting place upon request of a voter with a disability and only on a machine dedicated for access by voters with disabilities. A total count of such ballot-free uses on dedicated voting machines, which must be compiled so as to maintain complete voter anonymity, must be kept at each voting district and transmitted to the Office of the Secretary of State along with the election results.

3. Proscribed voting machines. The following types of voting machines may not be used in the conduct of state elections:
A. Direct recording electronic voting machines;
B. Punch card voting machines;
C. Mechanical lever voting machines; and
D. Any machine that does not produce a paper ballot except as provided in subsection 2, paragraph A.

Bill Number: LD 1026 (full text)
Relevant Election Code
21-A MRSA §607, sub-§6, 21-A MRSA §737-B
Enacted: 
June 23, 2005
VVPAT Language:  Sec. 1. 21-A MRSA §812, sub-§10, as enacted by PL 2003, c. 651, §7, is amended to read:
10. Paper audit trail. Unless excluded pursuant to section 812-A, subsection 1, it It must produce or employ permanent paper records of the votes cast that are able to be verified by individual voters before their votes are cast and that provide a manual audit capacity for the machine. In the case of direct recording electronic voting machines, those records must also identify the individual machines that produced them without revealing the identities of the voters who cast the ballots. In all cases, these records must be reviewed in the event of a recount and considered in conjunction with the machine-produced tally.

Sec. 2. 21-A MRSA §812-A, sub-§1, as enacted by PL 2003, c. 651, §8, is amended to read:
1. Accessible voting equipment at each polling place. The Secretary of State, in compliance with the voting accessibility requirements of the federal Help America Vote Act of 2002, shall provide one direct recording electronic voting machine, or other voting system equipped for individuals with disabilities, for use at each polling place used in the conduct of state elections. Such machines must produce permanent paper records that provide a manual audit capacity for the machines and must also provide voters with audio functions that enable the voters to verify their ballots aurally before the votes are cast, and all such machines are exempt from subject to the requirements of section 812, subsection 10.

Additional accessible voting machines may be used in the conduct of state elections, but those machines must meet the requirements set forth in section 812.

Maryland
Bill Number: HB 18 and SB 392 
(full text)
Relevant Election CodeMaryland Code Article-Election Law §9-102, Chapter 548 SL 2007
Enacted: May 17, 2007 (House Vote 140-0; Senate Vote 47-0)
VVPAT Language: SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, That the Laws of Maryland read as follows:
Article – Election Law 9–102.
(A) IN THIS SECTION, A “VOTER–VERIFIABLE PAPER RECORD” INCLUDES:
(1) A PAPER BALLOT PREPARED BY THE VOTER FOR THE PURPOSE OF BEING READ BY A PRECINCT–BASED OPTICAL SCANNER;
(2) A PAPER BALLOT PREPARED BY THE VOTER TO BE MAILED TO THE APPLICABLE LOCAL BOARD, WHETHER MAILED FROM A DOMESTIC OR AN OVERSEAS LOCATION; AND
(3) A PAPER BALLOT CREATED THROUGH THE USE OF A BALLOT MARKING DEVICE.
[(a)] (B) The State Board shall adopt regulations for the review, certification, and decertification of voting systems.
[(b)] (C) The State Board shall periodically review and evaluate alternative voting systems.
[(c)] (D) The State Board may not certify a voting system unless the State Board determines that:
(1) the voting system will:
(i) protect the secrecy of the ballot;
(ii) protect the security of the voting process;
(iii) count and record all votes accurately;
(iv) accommodate any ballot used under this article;
(v) protect all other rights of voters and candidates; [and]
(vi) be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount, INCLUDING A MANUAL RECOUNT; AND
(VII) PROVIDE A VOTER–VERIFIABLE PAPER RECORD THAT:
1. IS AN INDIVIDUAL DOCUMENT THAT IS PHYSICALLY SEPARATED FROM ANY OTHER SIMILAR DOCUMENT AND NOT PART OF A CONTINUOUS ROLL;
2. IS SUFFICIENTLY DURABLE TO WITHSTAND REPEATED HANDLING FOR THE PURPOSES OF MANDATORY RANDOM AUDITS AND RECOUNTS; AND
3. USES INK THAT DOES NOT FADE, SMEAR, OR OTHERWISE DEGRADE AND OBSCURE OR OBLITERATE THE PAPER RECORD OVER TIME;
(2) the voting system has been:
(i) examined by an independent testing laboratory that is approved by the [National Association of State Election Directors] U.S. ELECTION ASSISTANCE COMMISSION; and
(ii) shown by the testing laboratory to meet the performance and test standards for electronic voting systems established by the Federal Election Commission OR THE U.S. ELECTION ASSISTANCE COMMISSION; and
(3) the public interest will be served by the certification of the voting system.
[(d)] (E) In determining whether a voting system meets the required standards, the State Board shall consider:
(1) the commercial availability of the system and its replacement parts and components;
(2) the availability of continuing service for the system;
(3) the cost of implementing the system;
(4) the efficiency of the system;
(5) the likelihood that the system will malfunction;
(6) the system’s ease of understanding for the voter;
(7) the convenience of voting afforded by the system;
(8) the timeliness of the tabulation and reporting of election returns;
(9) the potential for an alternative means of verifying the tabulation;
(10) accessibility for all voters with disabilities recognized by the Americans with Disabilities Act; and
(11) any other factor that the State Board considers relevant.
(F) A VOTING SYSTEM SELECTED, CERTIFIED, AND IMPLEMENTED UNDER THIS SECTION SHALL:
(1) PROVIDE ACCESS TO VOTERS WITH DISABILITIES THAT IS EQUIVALENT TO ACCESS AFFORDED VOTERS WITHOUT DISABILITIES WITHOUT CREATING A SEGREGATED BALLOT FOR VOTERS WITH DISABILITIES;
(2) ENSURE THE INDEPENDENT, PRIVATE CASTING, INSPECTION, VERIFICATION, AND CORRECTION OF SECRET BALLOTS BY VOTERS WITH DISABILITIES IN AN ACCESSIBLE MEDIA BY BOTH VISUAL AND NONVISUAL MEANS, INCLUDING SYNCHRONIZED AUDIO OUTPUT AND ENHANCED VISUAL DISPLAY; AND
(3) COMPLY WITH BOTH THE AMERICANS WITH DISABILITIES ACT, P.L. 101–336, AND THE HELP AMERICA VOTE ACT, P.L. 107–252, INCLUDING ACCESSIBILITY STANDARDS ADOPTED AS PART OF THE VOLUNTARY VOTING SYSTEM GUIDELINES PURSUANT TO THE HELP AMERICA VOTE ACT.
(G) (1) AT LEAST ONE VOTING SYSTEM IN EACH POLLING PLACE ON ELECTION DAY SHALL PROVIDE ACCESS FOR VOTERS WITH DISABILITIES IN COMPLIANCE WITH SUBSECTION (F) OF THIS SECTION.
(2) THE STATE BOARD SHALL ENSURE THAT ADEQUATE BACKUP EQUIPMENT IS AVAILABLE AND CONTINGENCY PLANS ARE ESTABLISHED TO ENSURE COMPLIANCE WITH PARAGRAPH (1) OF THIS SUBSECTION.
(H) BEFORE THE SELECTION OF A VOTING SYSTEM, THE STATE BOARD SHALL:
(1) ENSURE THAT AN ACCESSIBLE VOTING SYSTEM CONFORMS TO THE ACCESS REQUIREMENTS OF THE VOLUNTARY VOTING SYSTEM GUIDELINES DEVELOPED IN ACCORDANCE WITH THE HELP AMERICA VOTE ACT IN EFFECT AT THE TIME OF SELECTION; AND
(2) CONDUCT AN ACCESSIBILITY AND USABILITY EVALUATION OF THE VOTING SYSTEM TO ASSESS ITS ACCESSIBILITY AND USABILITY BY VOTERS WITH DISABILITIES, INCLUDING:
(I) A PUBLIC DEMONSTRATION OF THE SYSTEM; AND
(II) AN EVALUATION BY INDIVIDUALS REPRESENTING A CROSS–SECTION OF VOTERS WITH DISABILITIES.
[(e)] (I) (1) The State Board shall adopt regulations relating to requirements for each voting system selected and certified under § 9–101 of this subtitle.
(2) The regulations shall specify the procedures necessary to assure that the standards of this title are maintained, including:
(i) a description of the voting system;
(ii) a public information program by the local board, at the time of introduction of a new voting system, to be directed to all voters, candidates, campaign groups, schools, and news media in the county;
(iii) local election officials’ responsibility for management of the system;
(iv) the actions required to assure the security of the voting system;
(v) the supplies and equipment required;
(vi) the storage, delivery, and return of the supplies and equipment necessary for the operation of the voting system;
(vii) standards for training election officials in the operation and use of the voting system;
(viii) before each election and for all ballot styles to be used, testing by the members of the local board to ensure the accuracy of tallying, tabulation, and reporting of the vote, and observing of that testing by representatives of political parties and of candidates who are not affiliated with political parties;
(ix) the number of voting stations or voting booths required in each polling place, in relation to the number of registered voters assigned to the polling place;
(x) the practices and procedures in each polling place appropriate to the operation of the voting system;
(xi) assuring ballot accountability in systems using a document ballot;
(xii) the actions required to tabulate votes; and
(xiii) postelection review and audit of the system’s output.
(3) Certification of a voting system is not effective until the regulations applicable to the voting system have been adopted.
(a) In consultation with the local boards, the State Board shall:
(1) develop a program of instruction of election judges; and
(2) oversee the implementation of the program of instruction.
(b) The training materials utilized by the program may include:
(1) an instruction manual and other written directives;
(2) curriculum for training sessions; and
(3) audiovisuals.
(c) The State Board shall develop a process for the evaluation of the training program and the performance of the polling place staff in each county.
(d) To the extent appropriate, the training program shall be specific to each of the voting systems used in polling places in the State.
(E) (1) THE STATE BOARD SHALL PROVIDE ELECTION JUDGES WITH UNIFORM STATEWIDE TRAINING ON THE VOTING SYSTEM, INCLUDING:
(I) ALL FEATURES OF THE VOTING SYSTEM THAT PROVIDE ACCESS TO VOTERS WITH DISABILITIES; AND
(II) THE RIGHTS OF VOTERS WITH DISABILITIES, INCLUDING THOSE RIGHTS GUARANTEED BY STATE AND FEDERAL LAW.
[(e)] (F) Each local board shall conduct election judge training based on the program developed by the State Board.
[(f)] (G) (1) Except as provided in paragraph (2) of this subsection, each election judge shall participate in the training program provided for in subsection (a) of this section.
(2) An election judge who is appointed under emergency circumstances is not required to attend the course of instruction.
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall apply to each election occurring on or after March January 1, 2008 2010, that is required to be conducted in accordance with the Election Law Article.
SECTION 3. AND BE IT FURTHER ENACTED, That, if the Attorney General determines on or after the effective date of this Act that any provision of this Act is in conflict with any law of the United States or a rule, regulation, or policy of the U.S.Election Assistance Commission, the conflicting provision of this Act shall be abrogated and of no force or effect. The Attorney General, within 5 days after determining the existence of a conflict, shall notify in writing the Department of Legislative Services, Legislative Services Building, 90 State Circle, Annapolis, MD 21401.
SECTION 4. AND BE IT FURTHER ENACTED, That this Act is contingent on the appropriation of sufficient general, special, or federal funds in the State budget no later than fiscal year 2009 for the State Board of Elections to perform the functions set forth in Section 2 1 of this Act, and if sufficient funds are not appropriated in the State budget to the State Board of Elections by fiscal year 2009 to perform the functions set forth in Section 2 1 of this Act, this Act shall be null and void without the necessity of further action by the General Assembly. Within 10 days after the fiscal year 2009 budget has been enacted by the General Assembly, the Department of Budget and Management shall determine and notify the Department of Legislative Services whether sufficient general, special, or federal funds have been appropriated in the fiscal year 2009 budget for the State Board of Elections to perform the functions set forth in Section 2 1 of this Act.
SECTION 5. AND BE IT FURTHER ENACTED, That, subject to Sections 2 through 4 of this Act, this Act shall take effect October 1, 2007.

Massachusetts has not established a statutory requirement for permanent voter verifiable ballot or record. However all jurisdictions in Massachusetts use paper ballot systems together with ballot marking devices to assist voters with disabilities.

Michigan has not established a statutory requirement for permanent voter verifiable ballot or record. However, on August 4, 2003, Secretary of State Terri Lynn Land announced that Michigan was adopting an optical scan voting system statewide.

“This statewide standard will bridge the technology gap that hinders Michigan’s election process,” said Land, who is the state’s chief election officer. “Bringing every precinct on line with optical scan technology enhances the experience for voters and election workers alike. We’re ushering in a new and exciting era of voting in Michigan. This upgrade paves the way for further improvements that will make our process more contemporary, efficient, accurate and convenient.” (source)

Minnesota
Bill Number: HF 874 
(full text)
Relevant Election CodeCh. 162 Session Law 2005
Enacted: June 3, 2005 (House Vote 133-0; Senate Vote 63-0)
VVPAT Language: 206.80 [ELECTRONIC VOTING SYSTEMS.]
(a) An electronic voting system may not be employed unless

(7) provides every voter an opportunity to verify votes recorded on the permanent paper ballot or paper record, either visually or using assistive voting technology, and to change votes or correct any error before the voter’s ballot is cast and counted, produces an individual, discrete, permanent, paper ballot or paper record of the ballot cast by the voter, and preserves the paper ballot or paper record as an official record available for use in any recount.
(b) An electronic voting system purchased on or after the effective date of this section may not be employed unless it:
(1) accepts and tabulates, in the polling place or at a counting center, a marked optical scan ballot;
(2) creates a marked optical scan ballot that can be tabulated in the polling place or at a counting center by automatic tabulating equipment certified for use in this state; or
(3) securely transmits a ballot electronically to automatic tabulating equipment in the polling place while creating an individual, discrete, permanent paper record of each vote on the ballot.[

Mississippi has not established a statutory requirement for permanent voter verifiable ballot or record.

Missouri has not established a statutory requirement for permanent voter verifiable ballot or record. However on February 26, 2004, Secretary of State Matt Blunt announced that would require any Direct Recording Electronic (DRE) systems that may be purchased by local election officials produce a voter verified paper ballot.

“We have worked hard over the past three years to ensure that our elections are above reproach and that Missouri voters have confidence in the process and most importantly, the results,” Blunt said. “By requiring all DRE’s to produce a voter verifiable ballot, we will provide voters with the peace of mind they deserve on Election Day by enabling them to review their ballots prior to casting them.” (source)

Montana
Bill Number: HB 297 
(full text)
Relevant Election Code§13-17-103 MCA
Enacted: April 18, 2005 (House Vote 94-3; Senate Vote 50-0)
VVPAT Language:  Section 1. Section 13-17-103, MCA, is amended to read:
“13-17-103. Required specifications for voting systems.
(1) A voting system may not be approved under 13-17-101 unless the voting system:

(k) uses a paper ballot that allows votes to be manually counted, except as provided in subsection (2).
(2) A direct recording electronic system that does not mark a paper ballot may be used to facilitate voting by a disabled voter pursuant to the Help America Vote Act of 2002, 42 U.S.C. 15301, et seq., if:
(a) (i) a direct recording electronic system that uses a paper ballot has not yet been certified by the federal election assistance commission; or
(ii) a direct recording electronic system that marks a paper ballot has not yet been approved by the secretary of state pursuant to 13-17 101; and
(b) the system records votes in a manner that will allow the votes to be printed and manually counted or audited if necessary

Nebraska has not established a statutory requirement for permanent voter verifiable ballot or record. However, Nebraska currently uses precinct count paper ballot optical scan systems together with ballot-marking devices to assist voter with disabilities in every county.

Nevada has not established a statutory requirement for permanent voter verifiable ballot or record. On December 10, 2003, Secretary of State Dean Heller announced his decision to purchase Direct Recording Electronic (DRE) voting machines for all Nevada counties and mandating a voter verifiable paper printer be included on all newly purchased DRE machines for the 2004 election. He added that all existing machines statewide must add the printer technology by 2006.

“Voting is the most fundamental freedom Americans enjoy; it is the backbone of a free and democratic society,” Heller said. “As the State’s Chief Elections Officer, my duty is clear: to provide voters with the highest level of confidence that elections in this state are fair, unbiased and secure. These critical principles led to my decision to be the first state in the nation to demand a vendor to include a voter verifiable receipt (VVR) printer on all DRE machines in time for the 2004 election. It is a right of every citizen to feel secure that the voting choices they have made are recorded accurately. A paper trail is an intrinsic component of voter confidence.” Senator John Ensign, whom Heller has spoken with several times over the VVR issue, added, “I have been a strong and vocal advocate for approval of federal legislation requiring paper verification of ballots. As public officials, we have a serious responsibility to maintain the integrity of our election process, including voting machines and ballots.” (source)

New Hampshire
Relevant Election Code
New Hampshire statutes Chapter 656:41
Enacted: 1994
Paper Ballot Language: 656:41 Approval by Ballot Law Commission. – The ballot law commission shall act as a board to examine devices for the electronic counting of ballots. The commission shall, whenever requested, examine any device which may be capable of meeting the requirements for elections held in this state. The commission shall approve such device in its discretion, and no device shall be used in any election in this state unless it reads the voter’s choice on a paper ballot and is of a type so approved by the ballot law commission. Any device that is altered must be re-approved before it is used in any election in this state. For the purposes of this section, a device shall be considered altered if any mechanical or electronic part, hardware, software, or programming has been altered.

New Jersey
Bill Number: A 33 
(full text)
Relevant Election CodeR.S.19:48-1 and P.L.1973, c.82.
Enacted: July 7, 2005
VVPAT Language:  1. R.S.19:48-1 is amended to read as follows:
19:48-1. Any thoroughly tested and reliable voting machines may be adopted, rented, purchased or used, which shall be so constructed as to fulfill the following requirements:

By January 1, 2008, each voting machine shall produce an individual permanent paper record for each vote cast, which shall be made available for inspection and verification by the voter at the time the vote is cast, and preserved for later use in any manual audit, unless a waiver of the provisions of this paragraph is granted by the Attorney General for good cause.
2. Section 3 of P.L.1973, c.82 (C.19:53A-3) is amended to read as follows:

i. By January 1, 2008, produce an individual permanent paper record for each vote cast, which shall be made available for inspection and verification by the voter at the time the vote is cast, and preserved for later use in any manual audit, unless a waiver of the provisions of this subsection is granted by the Attorney General for good cause. (cf: P.L.2004, c.88, s.18)
STATEMENT
This bill would require that each voting machine in use in the State produce an individual permanent paper record for each vote cast. The record would be made available for inspection and verification by the voter at the time the vote is cast, and preserved for later use in any manual audit. Such a voter-verified paper record would give voters increased confidence that their votes were counted accurately. Counties would be required to comply with the provisions of this bill by January 1, 2008, unless a waiver is granted by the Attorney General for good cause.The bill is modeled on provisions in a bill sponsored by Congressman Rush Holt (H.R.2239), introduced in May 2003.

Bill Number: A 3648 (full text)
Relevant Election Code:R.S.19:48-1, P.L.1973, c.82 and P.L.2005, c.137
Enacted: March 6, 2009
VVPAT Language: 1. R.S.19:48-1 is amended to read as follows:

(2) The provisions of paragraph (1) of this subsection shall be suspended until: i) the Secretary of State and the State Treasurer certify in writing that sufficient funds have been provided by the federal government and received by the State to offset the entire cost of ensuring that each voting machine used in this State produces an individual permanent paper record for each vote cast; or (ii) the annual appropriation act contains an appropriation of sufficient funds to ensure that each voting machine used in this State produces an individual permanent paper record for each vote cast and such appropriated funds have not been reserved by the Governor under a spending reduction plan; or (iii) the Secretary of State and the State Treasurer certify in writing that sufficient funds have been provided by the federal government and received by the State, and the annual appropriation act contains an appropriation of sufficient unreserved funds, to ensure, when such funds are combined, that each voting machine used in this State produces an individual paper record for each vote cast. (cf: P.L.2008, c.18, s.l)

New Mexico
Bill Number: SB 295 
(full text – pdf)
Relevant Election Code: NMSA 1978 (being Laws 1969, Chapter 240, Section 188, as amended
Enacted: March 2, 2006 (House Vote 38-24; Senate Vote 23-18)
Paper Ballot Language: Section 2. Section 1-9-7.1 NMSA 1978 (being Laws 2005, Chapter 270, Section 56) is amended to read:
“1-9-7.1. VOTING SYSTEM–USE OF PAPER BALLOT.–
A. All voting systems used in elections covered by the Election Code shall use a paper ballot on which the voter physically or electronically marks the voter’s choices on the ballot itself; provided, however, that voting systems owned or used by a county on May 1, 2006 that do not use a paper ballot may be used until an adequate supply of voting systems is available and sufficient federal, state or local funds are available:
(1) to replace the voting systems;
(2) to acquire the necessary software;
(3) for the secretary of state to purchase the paper ballots for all counties to use on the new voting system for primary and general elections; and
(4) to hold the counties harmless for payments due for voting systems under lease-purchase agreements entered into pursuant to Sections 1-9-17 through 1-9-19 NMSA 1978.
B.  In any event, a voting system shall not be used if it has not been certified by the secretary of state and if a competitive bid process has not been conducted by the secretary of state pursuant to the provisions of Chapter 13, Article 1 NMSA 1978.
C.  The paper ballot shall be used by the state or its contractor to check either the veracity of a machine count or the count itself, and shall be used in a recount proceeding as are absentee ballots, and in case of a discrepancy, the paper ballot shall be considered the true and correct record of the voter’s choices.”

New York
Bill Number: A 8969 S 5877  
(full text)
Relevant Election Code: NMSA 1978 (being Laws 1969, Chapter 240, Section 188, as amended
Enacted: March 2, 2006 (House Vote 38-24; Senate Vote 23-18)
VVPAT Language: S. 7-282. Voting Machine or System; Requirements of.
1. A voting machine or system to be approved by the State Board of Elections shall:

J. Retain all paper ballots cast or produce and retain a voter verified permanent paper record which shall be presented to the voter from behind a window or other device before the ballot is cast, in a manner intended and designed to protect the privacy of the voter; such ballots or record shall allow a manual audit and shall be preserved in accordance with the provisions of Section 3-222 of this chapter.

North Carolina
Bill Number: S 223 (full text)
Relevant Election CodeGeneral Statutes §§163-165.7, 163-166.7(c),163-182.1(b), 163-182.2, 163-182.7A / Session Law 2005-323
Enacted: August 26, 2005 (House Vote 133-0; Senate Vote 63-0)
VVPAT Language: SECTION 1.(a) Effective August 1, 2005, and applicable to any voting systems upgraded or acquired on or after that date and to all voting systems used in the State during any election during or after 2006, G.S. 163‑165.7 reads as rewritten:
§ 163‑165.7. Voting systems: powers and duties of State Board of Elections.
(a) Only voting systems that have been certified by the State Board of Elections in accordance with the procedures and subject to the standards set forth in this section and that have not been subsequently decertified shall be permitted for use in elections in this State. Those certified voting systems shall be valid in any election held in the State or in any county, municipality, or other electoral district in the State. Subject to all other applicable rules adopted by the State Board of Elections and, with respect to federal elections, subject to all applicable federal regulations governing voting systems, paper ballots marked by the voter and counted by hand shall be deemed a certified voting system. The State Board of Elections shall certify optical scan voting systems, optical scan with ballot markers voting systems, and direct record electronic voting systems if any of those systems meet all applicable requirements of federal and State law. The State Board may certify additional voting systems only if they meet the requirements of the request for proposal process set forth in this section and only if they generate either a paper ballot or a paper record by which voters may verify their votes before casting them and which provides a backup means of counting the vote that the voter casts. Those voting systems may include optical scan and direct record electronic (DRE) voting systems. In consultation with the Office of Information Technology Services, the State Board shall develop the requests for proposal subject to the provisions of this Chapter and other applicable State laws. Among other requirements, the request for proposal shall require at least all of the following elements:
(1) That the vendor post a bond or letter of credit to cover damages resulting from defects in the voting system. Damages shall include, among other items, any costs of conducting a new election attributable to those defects.
(2) That the voting system comply with all federal requirements for voting systems.
(3) That the voting system must have the capacity to include in precinct returns the votes cast by voters outside of the voter’s precinct as required by G.S. 163‑132.5G.
(4) With respect to electronic voting systems, that the voting system generate a paper record of each individual vote cast, which paper record shall be maintained in a secure fashion and shall serve as a backup record for purposes of any hand‑to‑eye count, hand‑to‑eye recount, or other audit. Electronic systems that employ optical scan technology to count paper ballots shall be deemed to satisfy this requirement.
(5) With respect to DRE voting systems, that the paper record generated by the system be viewable by the voter before the vote is cast electronically, and that the system permit the voter to correct any discrepancy between the electronic vote and the paper record before the vote is cast.
(6) With respect to all voting systems using electronic means, that the vendor provide access to all of any information required to be placed in escrow by a vendor pursuant to G.S. 163‑165.9A for review and examination by the State Board of Elections; the Office of Information Technology Services; the State chairs of each political party recognized under G.S. 163‑96; the purchasing county; and designees as provided in subdivision (9) of subsection (d) of this section.
(7) That the vendor must quote a statewide uniform price for each unit of the equipment.
(8) That the vendor must separately agree with the purchasing county that if it is granted a contract to provide software for an electronic voting system but fails to debug, modify, repair, or update the software as agreed or in the event of the vendor having bankruptcy filed for or against it, the source code described in G.S. 163‑165.9A(a) shall be turned over to the purchasing county by the escrow agent chosen under G.S. 163‑165.9A(a)(1) for the purposes of continuing use of the software for the period of the contract and for permitting access to the persons described in subdivision (6) of this subsection for the purpose of reviewing the source code.

In its request for proposal, the State Board of Elections shall address the mandatory terms of the contract for the purchase of the voting system and the maintenance and training related to that voting system.

No voting system acquired or upgraded by a county before August 1, 2005, shall be used in an election during or after 2006 unless the county can demonstrate to the State Board of Elections compliance with the requirements in subdivisions (1) through (8) of this subsection, where those requirements are applicable to the type of voting system involved.

North Dakota has not established a statutory requirement for permanent voter verifiable ballot or record. However, the State currently uses precinct count paper ballot optical scan systems together with ballot-marking devices to assist voters with disabilities in every county.

Ohio
Bill Number: HB 262 
(full text)
Relevant Election Code: Ohio. Rev. Code Ann. Section 3506.10
Enacted: May 7, 2004
VVPAT Language: Sec. 3506.10. No voting machine shall be approved by the board of voting machine examiners or certified by the secretary of state, or be purchased, rented, or otherwise acquired, or used, except when specifically allowed for experimental use, as provided in section 3506.04 of the Revised Code, unless it fulfills the following requirements:

(P) On and after the first federal election that occurs after January 1, 2006, unless required sooner by the Help America Vote Act of 2002, if the voting machine is a direct recording electronic voting machine, it shall include a voter verified paper audit trail.

Sec. 3506.18. (A) For any recount of an election in which ballots are cast using a direct recording electronic voting machine with a voter verified paper audit trail, the voter verified paper audit trail shall serve as the official ballot to be recounted.
(B) Voter verified paper audit trails shall be preserved in the same manner and for the same time period as paper ballots are preserved under section 3505.31 of the Revised Code.

Oklahoma has not established a statutory requirement for permanent voter verifiable ballot or record. However, the State currently uses precinct count paper ballot optical scan systems together with ballot-marking devices to assist voters with disabilities in every county.

Oregon
Bill Number:

Relevant Election Code
Enacted: 
VVPAT Language:

Pennsylvania has not established a statutory requirement for permanent voter verifiable ballot or record.

Rhode Island has not established a statutory requirement for permanent voter verifiable ballot or record. However, the State currently uses precinct count paper ballot optical scan systems together with ballot-marking devices to assist voters with disabilities in every polling place.

South Carolina has not established a statutory requirement for permanent voter verifiable ballot or record.

South Dakota
Relevant Language in Election Code:
 South Dakota Codified Law (as enacted through SL 1994, Chapter 110 §22) states:
12-17B-2.1. Direct recording electronic voting system – Requirements.
No direct recording electronic voting system may be certified or used unless it is capable of producing in random order a paper copy of each ballot cast on the system. No direct recording electronic voting system may be certified which transmits uncounted votes or ballots through the internet.

Tennessee
Bill Number: HB 1256/*SB 1363 
(full text – pdf)
Relevant Election CodeTennessee Code Annotated, Title 2
Enacted: June 5, 2008
VVPAT Language:  SECTION 2. Tennessee Code Annotated, Title 2, is amended by adding the following as a new, appropriately designated section:
2 (a) Notwithstanding any other provision of state law to the contrary and consistent with federal law, any voting system purchased or leased with federal, state or local funds shall provide that the ballot of record shall be a paper ballot marked by the voter, with appropriate accommodation for persons with disabilities. Such ballot shall be available for the voter to verify such voter’s vote before having it counted and retained by the election officials. The system shall maintain the secrecy of the voter’s choices and the ballots of record shall be used in any recounts, contests, or random samplings for accuracy.

Bill Number: HB 0614/SB 0872 (full text – pdf)
Relevant Election Code: Tennessee Code Annotated, Title 2 and Chapter 1108 of the Public Acts of 2008
Date Enacted: February 9, 2010
HB 0614/SB 0872 delayed the implementation of certain provisions of the Tennessee Voter Confidence Act of 2008.

Relevant Language: SECTION 1. Tennessee Code Annotated, Title 2, is amended by deleting chapter 20 in
its entirety.
SECTION 2. Tennessee Code Annotated, Section 2-1-104(a), is amended by deleting the subdivisions (19), (31), (32), and (33) and redesignating remaining subdivisions accordingly:

Bill Number: HB 0386/SB 1203 (full text – pdf)
Relevant Election Code: Tennessee Code Annotated, Title 2, Chapter 1108 of the Public Acts of 2008 and Chapter 612 of the Public Acts of 2010, relative to the Tennessee Voter Confidence Act.
Date Enacted: June 3, 2011
Revision Language: SECTION 1. Section 6 of Chapter 1108 of the Public Acts of 2008, as amended by Chapter 612 of the Public Acts of 2010, is further amended by deleting the second sentence in its entirety and by deleting the period at the end of the last sentence and adding the following language:
and only if the general assembly includes a specific recurring appropriation in the 2011 general appropriations act for the 2011-2012 fiscal year in such amount necessary to provide fully for all increased costs for counties, as determined by the secretary of state, directly attributable to the Tennessee Voter Confidence Act.
SECTION 2. Tennessee Code Annotated, Section 2-20-101(a), is amended by deleting the subsection in its entirety and by substituting instead the following language:
(a) Notwithstanding any other state law to the contrary and consistent with federal law and subsection (b)(1), if the general assembly includes a specific recurring appropriation in the 2011 general appropriations act for the 2011-2012 fiscal year, new voting systems purchased or leased shall be a system using precinct-based optical scanners. The appropriation shall be in such amount necessary to provide fully for all increased costs for counties, as determined by the secretary of state, directly attributable to this part.

Texas has not established a statutory requirement for permanent voter verifiable ballot or record.

Utah
Bill Number: 
HB 2169
Relevant Election CodeORS 246.012, 246.550, 246.560, 254.005, 254.485, and 258.211 /  Chapter 731
Enacted: August 17 2005
VVPAT Language: 246.560. (1) [No] A voting machine [shall] may not be approved by the Secretary of State unless [it] the voting machine is constructed so that it …
(h) Contains a device that will duplicate the votes cast by each elector onto a paper record copy.
(i) Contains a device that will allow each elector to view the elector′s paper record copy while preventing the elector from directly handling the paper record copy.

Vermont
Bill Number: S.0202
Relevant Election Code: Title 17 V.S.A. § 2478
Enacted: April 15 2005
VVPAT Language: Sec. 1. 17 V.S.A. § 2478 is amended to read: … (e)  No voting shall occur in any general election which does not use printed ballots.

Virginia has not established a statutory requirement for permanent voter verifiable ballot or record.

Washington
Bill Number:
SB 5395
Relevant Election CodeRCW 29A.12.085
Enacted: May 3 2005
VVPAT Language: Beginning on January 1, 2006, all direct recording electronic voting devices must produce a paper record of each vote that may be accepted or rejected by the voter before finalizing his or her vote. This record may not be removed from the voting center, and must be human readable without an interface and machine readable for counting purposes. If the device is programmed to display the ballot in multiple languages, the paper record produced must be printed in the language used by the voter. Rejected records must either be destroyed or marked in order to clearly identify the record as rejected. Paper records produced by direct recording electronic voting devices are subject to all the requirements of chapter 29A.60 RCW for ballot handling, preservation, reconciliation, transit, and storage. The paper records must be preserved in the same manner and for the same period of time as ballots.

West Virginia
Bill Number: HB 2950
Relevant Election Code: West Virginia Code §3-4A-9 12A-E
Enacted:
VVPAT Language: (12) (A) Direct-recording electronic voting machines must generate a paper copy of each voter’s vote that will be automatically kept within a storage container that is locked, closely attached to the direct-recording electronic voting machine and inaccessible to all but authorized voting officials, who will handle such storage containers and such paper copies contained therein in accordance with section nineteen of this article;
(B) The paper copy of the voter’s vote shall be generated at the time the voter is at the voting station using the direct- recording electronic voting machine;
(C) The voter may examine the paper copy visually or through headphone readout, and may accept or reject the printed copy;
(D) The voter may not touch, handle or manipulate the printed copy manually in any way;
(E) Once the printed copy of the voter’s votes is accepted by the voter as correctly reflecting the voter’s intent, but not before, it will automatically be stored for recounts or random checks and the electronic vote will be cast within the computer mechanism of the direct-recording electronic voting machine;

Wisconsin
Bill Number: AB 627
Relevant Election Code: WI Stat § 5.91.18
Enacted: January 4 2006
VVPAT Language: If the device consists of an electronic voting machine, it generates a complete, permanent paper record showing all votes cast by each elector, that is verifiable by the elector, by either visual or nonvisual means as appropriate, before the elector leaves the voting area, and that enables a manual count or recount of each vote cast by the elector.

Wyoming has not established a statutory requirement for permanent voter verifiable ballot or record. However, the State currently uses precinct count paper ballot optical scan systems. To assist voters with disabilities, three counties use direct recording electronic voting systems equipped with voter verified paper audit trail printers and the rest use ballot-marking devices.


Voter Registration Technology

The voter registration process may seem simple to most voters. They give their names, addresses, birth date, and in some cases party affiliations to election officials with the expectation that they will be able to vote on Election Day. In reality, election officials must oversee a complex system managing this process. They must ensure that the voters’ information is accurately recorded and maintained, that the system is transparent while voter information is kept private and secure from unauthorized access, and that poll workers can access this information on Election Day to determine whether or not any given voter is eligible. A well-managed voter registration system is vital for ensuring public confidence in elections.

State and local governments have managed voter registration using different approaches among different jurisdictions. In 2002, Congress sought to make these disparate efforts more uniform by passing the Help America Vote Act, which required that each state have a computerized statewide voter registration database. In implementing this mandate, state and local governments still have differing approaches, but it is clear that information technology underpins each of their efforts. While technology will help election officials manage this complex system, it also creates new risks that must be addressed.

From ACM’s Voter Registration Database Report 2006  Read the full report (pdf)

Security Vulnerabilities in Maryland’s Online Voter Registration System

A letter written to the Maryland State Board of Elections in October 2012  by J. Alex Halderman, David Jefferson and Barbara Simons urging them to take immediate steps to better protect a new system that allows Marylanders to update their voter registration online. While expressing their strong support the goal of using the Internet to increase the convenience of voter registration and registration changes for both voters and election officials, the authors identified severe security vulnerabilities in Maryland’s online voter registration system. These problems leave the system open to large-scale, automated fraud, and make the Maryland system among the most vulnerable of all the states’ new online voter registration systems. The letter recommended defensive steps for immediate implementation, as well as additional safeguards for implementation as soon as possible after the election.

Read the Full Letter (pdf)

Problems Arising When Using Databases to Disqualify Voters
by Douglas W. Jones

At a news conference in August 2012, Iowa’s Republican Secretary of State, Matt Schultz, and Democratic attorney general, Tom Miller, presented evidence suggesting there are non-citizens who have registered to vote illegally and that some of these illegal registrants have voted. Clearly, further investigation is called for, and if indeed these people have voted, they should be prosecuted. I am worried, however, about the effort to run a database matching effort to ferret out and remove non-citizens from the voting rolls. The central problem here is that we have no requirement of registering to vote under the same name as we use for other purposes.

For a driver’s license, you present a birth certificate, so your name on the driver’s license will match your birth certificate. To register to vote, you can use your employer ID card and a phone bill. As it turns out, my voter registration is in the same name as my driver’s license. That’s because I used my license to register about 32 years ago. On the other hand, my employer’s ID card lists my name differently (just a middle initial). I could have registered to vote with that card, had I wanted to. There is no legal requirement that I use the same name everywhere, and in fact, I use a variety of names and nicknames:

I’m not trying to confuse people. It’s just that, at various times, I’ve used different and obvious variations on my full name.

That’s why cross checking voter lists with driver’s license databases is very problematic. If you demand exact matches, you’ll miss many people; and if you accept partial matches, you’ll start to confuse people. The exact rules used to determine whether you’ll be more likely to err by disenfranchising people who were legally entitled to vote, or to err by allowing people to vote who shouldn’t. Read More 


Post Election Audits

Post Election AuditsA number of states have enacted requirements for mandatory manual audits (in randomly selected precincts) of the voter-verified paper records produced by the voting systems in use in those states. These audits are designed to verify that the electronic voting systems (either DRE voting machines or optical scan voting systems) are accurately recording and counting the votes. In the randomly-selected precincts, a hand count of the voter-verified paper records is compared to the totals reported by the electronic voting system. (Click on the map to see which states require post election audits.)

Two states without voter-verified paper record requirements (Kentucky, Pennsylvania) also have audit requirements. These were written into statute decades ago, apparently prior to widespread adoption of (paperless) direct recording electronic (DRE) voting systems. It is unclear whether – or how – these states are carrying out their statutory audit requirement. Texas requires audits of optical scan paper ballot systems only; counties with DREs have no voter-verified paper records to audit. The audit provisions in the various states illustrate a variety of manual audit requirements in several states using voter verified paper records, as well as two provisions from states that do not (yet) require VVPR. Some apply generically to both direct recording electronic systems equipped with voter-verified paper audit trails (VVPAT) and optical scan systems, since both offer voter-verified paper records which can be compared to an electronic tally. Others refer specifically to DRE + VVPAT systems (e.g. Washington). In every case (except Kentucky and Pennsylvania) the paper record verified by the voter is the one used in the manual count. The quantity of ballots to audit is most often stated as the ballots in some percentage of the total precincts, although some provisions audit by other units (by machine, ballot batches, etc.).

Why Audit Election Results?
No voting system is perfect. Nearly all US elections today are counted using electronic voting systems. Such voting systems have produced result-changing errors through problems with hardware, software, and procedures.1 Errors can also occur in hand counting of ballots or in the compiling of results. Even serious error can go undetected if results are not audited effectively.

Well-designed and properly performed post-election audits can significantly mitigate the threat of error, and should be considered integral to any vote counting system. A post-election audit in this document refers to hand-counting votes on paper records and comparing those counts to the corresponding vote counts originally reported, as a check on the accuracy of election results, and resolving discrepancies using accurate hand counts of the paper records as the benchmark. Such audits are arguably the most economical component of a quality voting system, adding a very small cost2 for a large set of benefits.

The benefits of such audits include:

Post-election audits differ from recounts. Post-election audits routinely check voting system performance in contests,3 regardless of how close margins of victory appear to be. Recounts repeat ballot counting in special circumstances, such as when preliminary results show a close margin of victory. Post-election audits that detect errors can lead to a full recount.

When an audited contest is also recounted, duplicate work can be avoided. Voting systems should have reliable audit records. Best effort audits should be performed even if the technology does not support optimal audits, or even if the laws do not permit optimal remedies. No single model for post-election audits is best for all states. Election traditions, laws, administrative structure and voting systems vary widely. Nonetheless, there are guiding principles that apply across all states. As states develop their own audit models, the public should have the opportunity to help shape those regulations.4

Best Practices for Post Election Audits
In Post-Election Audits: Restoring Trust in Elections, the Brennan Center teamed with the Samuelson Law, Technology & Public Policy Clinic at Boalt Hall School of Law (UC Berkeley), as well as several election officials and leading academics (collectively, the “Audit Group”), to make several recommendations for conducting post-election audits. Many of these recommendations are amplified in “Principles and Best Practices for Post-Election Audits,” which is available online here.

All states should look to statistical sampling methods tied to the margin of victory to improve their criteria for how many units to audit for more effective auditing. A well designed audit can provide a large chance of correcting the outcome if it was wrong. Such risk-limiting audits are being piloted in California, Colorado and Ohio; Colorado law requires moving to risk-limiting audits by 2014. Currently only North Carolina legally requires the use of statistical methods in the selection process, while Oregon, New Mexico and New Jersey laws require taking the margin of victory into account when determining what (fixed) percentage to audit. (New Jersey’s law is not yet implemented). Ten California counties conducted pilot risk-limiting audits recently. Among other state grants, the U.S. Election Assistance Commission awarded California $230,000 in federal grant money to fund up to 20 such pilot audits following elections held in California counties throughout 2012.

The following steps are critical for a good audit:

Auditing All Ballots Good audit protocols mandate that all ballots – early and absentee ballots, UOCAVA ballots, regular and provisional ballots, and aggregation at the tally server – be audited for accuracy.

Using Transparent and Random Selection Processes for All Auditing Procedures Audits are much more likely to prevent fraud, and produce greater voter confidence in the results, if the ballots, machines or precincts to be audited are chosen in a truly random and transparent manner, observable by the public with sufficient notice.

Conducting in a Timely Manner Audits should be conducted before results are finalized, so that if the audit reveals problems, official totals can be corrected.

Implementing Effective Procedures for Addressing Evidence of Fraud or Error If audits are to have a real deterrent effect and catch widespread, systemic problems, jurisdictions must adopt clear procedures for dealing with audit discrepancies when they are found.. Such procedures must ensure that outcome-changing errors are not ignored, otherwise vote tampering succeeds.

Encouraging Rigorous Chain of Custody Practices. Audits of voter-verifiable paper records will deter attacks and identify problems only if states have implemented solid chain of custody and physical security practices that will allow them to make an accurate comparison of paper and electronic records.

Florida and Minnesota – A Tale of Two Elections

A compelling case for post-election audits can be drawn through a comparison of the 2008 Senate race in Minnesota and the 2006 Congressional race in Florida’s 13th District. On election night in 2008, based on the electronic tallies, Norm Coleman was reported to be the winner of the Minnesota Senate rase. Only because Minnesota used paper ballot optical scan systems statewide and only because election workers hand-counted all of the almost 3 million paper ballots that were cast in the election could Minnesota determine the true winner of the election: Al Franken was eventually found to have won the race.

In stark contrast, in the 2006 Congressional race in Florida’s 13th District, candidate Vern Buchanan was reportedly ahead of candidate Christine Jennings by 369 votes.901 However, in Sarasota County, one of the five counties in the District, a staggering 18,000 votes were not recorded for the Congressional race. That was a higher under-vote rate (almost 13%) than in any of the other counties (in other counties, the highest under-vote rate was just under 6%, and the others were between 2% and 3%). Unlike Minnesota, however, in 2006 Sarasota County used paperless DREs. Therefore, there were no independent records of the votes cast in the polling places in that county. Some, including the U.S. Government Accountability Office, ultimately concluded that the under-vote was the result of a confusing touch screen ballot that caused voters to overlook the Congressional race. But because there was no evidence (paper ballots) that could be reviewed to confirm the intention of the voters, there was no way to dispute the electronic result. Following a lengthy legal battle Vern Buchanan was sworn in.

Ron Rivest at the 2007 Post Election Audit Summit

Joe Hall speaking at the 2007 Post-Election Audit Summit

Risk-Limiting Post-Election Audits

The risk-limiting audit5 is the gold standard of audits. Risk-limiting means that if the machine-reported count is incorrect, “there is a large, pre-specified chance that the audit will reveal the correct outcome.”6

Risk-limiting post-election audits are designed to minimize the size of the audit when the outcome is correct, while with very high probability correcting the outcome, if it is incorrect, by counting all the ballots. The audit continues until there is sufficiently strong statistical evidence that the apparent outcome is right, or until all the ballots have been manually counted. There are several factors that determine the size of the audit. Two are the closeness of the race being audited and the total number of ballots cast in that race.

To understand why, imagine an election with 100,000 votes where the machine results show candidate A beating candidate B by 100 votes. A relatively small number of votes for B that either were incorrectly counted for A or not counted at all could change the result and determine that B was the actual winner. Since a few potentially election-changing discrepancies might not be uncovered by a small audit, a large audit is needed. If, however, the machine results show A beating B by a wide margin of 20,000 votes, but B actually beat A, there would have to be a large number of B votes given to A or not counted at all to change the outcome. Therefore, if only a relatively small number of audit units is examined, it would be highly likely that a large number of wrongly recorded votes would be uncovered. A third factor is the size of the batches for which auditable totals are available. The smaller the batches, the fewer ballots will have to be examined, with individual ballot audits being the most efficient.

The following food example from Philip Stark is instructive.7 Suppose there are 100 bags of 100 jelly beans each, with some bags having a mixture of flavors and others consisting of a single flavor only. Suppose also that each bag is covered with aluminum foil, so that nobody can tell which is which by looking at the bags. I love coconut jelly beans and I want to estimate the number of coconut beans in all 100 bags.

One option would be to choose a bag at random, open it, and count all the beans. I could then estimate the total number of coconut beans by multiplying the number in that bag by 100. If I chose a bag that contained only coconut beans, I would estimate that all 10,000 beans were coconut; if the bag consisted of entirely a different flavor, I would estimate that none of the 10,000 beans was coconut; and if I picked a mixed bag, I would assume the ratio of all 10,000 beans was the same as that in the bag I had picked.

Suppose instead the jelly bean bags are all opened by someone else, dumped into a large pot, and stirred well. Suppose I then choose 100 beans at random from the large pot and count the number of coconut beans in that group. The estimate I get in this case will be far more reliable than the estimate I would get by looking at the contents of a single bag, even though in both cases I’m examining 100 jelly beans. To get a similarly reliable estimate on the number of coconut jelly beans in all the bags by drawing individual bags at random, I would have to examine far more bags and count many more jelly beans.

The basic structure of a risk-limiting audit follows the following framework: Hand count ballots until the evidence is strong that the outcome is correct. The number of ballots counted will depend on the errors you observe and the particular method being used. If you see no errors or predominantly errors that, if corrected, help the apparent winner, you need to look at fewer ballots than if you see errors that, if corrected, predominantly help the apparent loser. In sum, the number of ballots that need to be examined depends on the data.

There are also time-saving techniques for doing a risk-limiting audit of all of the ballot races simultaneously, 8 although hand-counting multiple races at once may be significantly harder than counting just one race by the sort and stack method. In 2009 Colorado modied its election law to require risk-limiting audits by 2014.9

The following year the American Statistical Association issued a statement endorsing risk-limiting post-election audits.[34] In the same year AB 2023 became law in California. AB 2023 authorizes “the Secretary of State to establish a post-canvass risk-limiting audit pilot program in ve or more voluntarily participating counties for the purpose of verifying the accuracy of election results.”10

 


Voting Equipment

In an age of electronic banking and online college degrees, why hasn’t the rest of the nation gone to voting on touchscreen computers? The reason is simple and resonates with the contentious debate that has yet to be resolved after at least 15 years of wrangling over the issue of electronic voting. No one has yet figured out a straightforward method of ensuring that one of the most revered democratic institutions—in this case, electing a U.S. president—can be double checked for fraud, particularly when paperless e-voting systems are used.” – Scientific American, Jan. 9, 2012

Today’s political climate is riven with discontent and mistrust of the institutions of government, yet apart from public discourse, the vote is still how we make our will known. Mistrust in lawmakers or institutions may be nearly endemic, but we still rely on the principle that they can be voted out. When our voting systems fail though, voters lose trust in the electoral process, and that is corrosive. Without that trust, our democracy could crumble. In such an environment, it is of critical importance that we safeguard that most fundamental part of who we are as Americans – our democracy – by ensuring voting systems work properly and that it is possible for those responsible for operating our elections to demonstrate to the public that their votes indeed are being captured and counted as they intended, and that the outcomes are correct.

The U.S. election system faces unprecedented tests. Among those tests are overt challenges to the full participation of all eligible voters. But there are also serious fault lines in the landscape of democracy, some of which are not visible but which threaten nonetheless. Many of these tests will become visible in the last yard of the voting process—the final step that occurs after other obstacles to voting are overcome, where the will of the voters must be captured and counted. That last yard is where the voter actually has the opportunity to mark and cast a ballot, and where the ballots are collected and counted, and ideally, where the systems that tally our votes are checked to make sure they work as they should. This is where the intersection of technology and democracy occurs. Challenges to voters’ rights in that last yard derive from problems caused by the deployment and use of inadequate voting systems, and exacerbated by insufficient checks on the accuracy of the outcome.

Far too many states use unreliable and insecure electronic voting machines, and many states have made their situation worse by adding some forms of Internet voting for some voters, which cannot be checked for accuracy at all. Even in states where verifiable systems are used, too often the check on the voting system’s function and accuracy is not done. The voting equipment now in use are aging; resources are severely impacted by the state of the economy over the past several years; shortages of both equipment and human resources are likely. After all the effort necessary to overcome the other hurdles to casting a ballot, it is patently unfair that once you get to the ballot box, that the ballot itself fails you. Taken together, these problems threaten to silently disenfranchise voters, potentially in sufficient numbers to alter outcomes.

Verified Voting Foundation: Principles for New Voting Systems

Overview of Voting Equipment

Four basic types of voting equipment are used in US elections.

Optical Scan Paper Ballot Systems (including both marksense and digital image scanners), in which voters mark paper ballots that are subsequently tabulated by scanning devices. On most optical scan ballots voters indicate their selections by filling in an oval (on ES&S and Premier/Diebold ballots), completing an arrow (Sequoia ballots), or filling in a box (Hart Intercivic ballots.) Ballots may be either scanned on precinct-based optical scan systems in the polling place (Precinct Count) or collected in a ballot box to be scanned at a central location (Central Count.)

Direct Recording Electronic (DRE) Systems, in which using one of three basic interfaces (pushbutton, touchscreen or dial) voters record their votes directly into computer memory. The voter’s choices are stored in DREs via a memory cartridge, diskette or smart card and added to the choices of all other voters. An alphabetic keyboard is typically provided with the entry device to allow for the possibility of write-in votes, though with older models this is still done manually.

DRE systems can be distinguished generally by the interface through which the voter indicate her selections. The first generation of DREs used a push-button interface, while later systems use a touchscreen interface. The Hart Intercivic eSlate uses a dial interface. Some DREs can be equipped with Voter Verified Paper Audit Trail (VVPAT) printers that allow the voter to confirm their selections on an independent paper record before recording their votes into computer memory. This paper record is preserved and, depending on State election codes, made available in the event of an audit or recount.

Ballot Marking Devices and Systems provide an interface to assist voters with disabilities in marking a paper ballot, which is then scanned or counted manually. Most ballot marking devices provide a touchscreen interface together with audio and other accessibility features similar to those provided with DREs, but rather than recording the vote directly into computer memory, the voter’s selections are indicated through a marking a paper ballot, which is then scanned or counted manually.

Punch Card Voting Systems Punchcard systems employ a card (or cards) and a small clipboard-sized device for recording votes. Voters punch holes in the cards (with a supplied punch device) opposite their candidate or ballot issue choice. After voting, the voter may place the ballot in a ballot box, or the ballot may be fed into a computer vote-tabulating device at the precinct. No jurisdictions will use punch card voting systems in 2016.

Mechanical Lever Voting Machines First introduced in the 1890s, mechanical lever machines were used in many States during the 20th Century. As recently as 1996, mechanical lever machines were used by 20.7% of registered voters in the United States. Since 2010, no mechanical lever voting machines are used in US elections.

Hand Counted Paper BallotHand Counted Paper Ballots A significant number of jurisdictions manually count paper ballots cast in polling places by hand and even more count absentees and/or provisional ballots by hand. While not a type of “voting equipment”, beyond the pen or pencil used by the voter to mark the ballot, many of the issues of ballot design and voter intent that effect all voting systems are relevant to hand counted paper ballots as well.

Voting Stages

Not all votes are cast in traditional polling places on Election Day – an increasing number of voters vote absentee by mail or at in-person early voting facilities. All jurisdictions now provide accessible equipment for voters with disabilities. Most jurisdictions use different voting systems for these different voting stages.

Polling Place Voting In American elections, the majority of votes are cast in polling places. There are essentially two methods used to capture the voter’s selections: a paper ballot marked by the voter, either physically or through the use of an assistive ballot-marking device, or a software interface in which votes are recorded directly into computer memory. Most paper ballots cast are tabulated by optical scanners, though there a significant number of jurisdictions that count paper ballots cast at polling places manually.

Accessible VotingAccessible Voting The Help America Vote Act of 2002 (HAVA) required that every polling place provide voting equipment with assistive features for voters with disabilities. Jurisdictions have adopted different approaches to meeting this requirement. Some have opted for the exclusive use of direct recording electronic (DRE) systems for all polling place voters. Others have chosen to have “Mixed” systems, with both an optical scan paper ballot system and a DRE system available in each polling place. Some such jurisdictions limit the use of DREs primarily to voters with disabilities while others allow all voters to choose between the two systems available. A third approach to meeting the accessibility requirements of HAVA through the use of Ballot Marking Devices or Systems. These systems allow voters with disabilities to mark a paper ballot that is then counted along with the other paper ballots cast in the polling place.

Early Voting In recent years many, but not all, States provide for in-person Early Voting. For a period a days or weeks prior to the official Election Day (the period varies from State to State) voters have the option of visiting a central location (typically the county election officials office or, in larger jurisdictions, satellite vote centers) to cast their vote. Most jurisdictions use the same voting equipment for the early voting period that are used in polling places on election day but not all. Some states offer “In Person Absentee Voting” during a certain period of time before an election during which a voter may apply in person for an absentee ballot and cast that ballot in one trip to an election official’s office.

Absentee VotingAbsentee Voting Absentee Voting is available in every State. In some States there are restrictions on who can vote by mail and three States (Colorado, Oregon and Washington) conduct elections using only mail ballots. Most jurisdictions tabulate absentee ballots with optical scanners – either high volume “Central Count” systems or smaller “Precinct Count” scanners. A small but significant number of jurisdictions count absentee ballots manually. Some jurisdictions transfer the votes cast by voters on absentee paper ballots onto DRE systems rather than tabulating the ballot by scanning or manual counting.

Provisional Ballot EnvelopeProvisional Ballots The Help America Vote Act of 2002 established that a voter could cast a provisional ballot if he or she believes that they are entitled to vote though there name does not appear in the pollbook. A provisional ballot is cast when: the voter refuses to show a photo ID if required, the voter’s name does not appear on the polbook for the given precinct, the voter’s registration contains inaccurate or out-dated information such as the wrong address or a misspelled name, or a ballot has already been recorded in the voter’s name. Whether a provisional ballot is counted or not is contingent upon the verification of that voter’s eligibility. Many voters do not realize that the provisional ballot is not counted until 7–10 days after election so their vote does not affect the initial announced results. Once the provisional ballot is determined to be valid it is counted with a scanner or manually.

A Brief History Voting Machines in the US

The County Election(From Douglas Jones, Brief Illustrated History of Voting) The conduct of elections has changed in many ways over the past 200 years. The extent of these changes is nicely illustrated by a comparison of today’s voting practices with those illustrated in George Caleb Bingham’s painting, The County Election (left – click to enlarge). In addition to being a noteworthy artist, Bingham was a successful politician; this painting shows a polling place on the steps of the courthouse in Saline County, Missouri, in 1846. In this painting, we see the judge (top center) administering an oath to a voter. The voter (in red) is swearing, with his hand on the bible, that he is entitled to vote and has not already done so. There was no system of voter registration, so this oath and the possibility that the judge or someone else in the vicinity of the polls might recognize him if he came back was all that prevented a voter from voting again and again.

There was no right to a secret ballot; having been sworn in, the voter simply called out his choices to the election clerks who sit on the porch behind the judge tallying the vote. Each clerk has a pollbook in which he writes the voter’s name and records his votes; multiple pollbooks were a common defense against clerical error. There are several people in the painting holding paper tickets in their hands. We know that these were not paper ballots because Missouri continued to use voice voting until 1863. In a general election, however, many voters might have wanted to bring their own notes to the polling place. Campaigning at the polling place was legal and common. The man in blue tipping his hat to the voter immediately behind the man taking the oath is one of the candidates in this election, E. D. Sappington, who lost to Bingham by one vote. He’s handing out his calling cards so that people can easily read off his name to vote for him.

Voice votes offer modest protection against fraudulent vote counts: An observer can easily maintain an independent tally of the votes, and since there is no ballot box, it cannot be stuffed. On the other hand, the lack of privacy means that voters are open to bribery and intimidation; an employer can easily demand, for example, that his employees vote as required, and a crook can easily offer to pay a voter if he votes a certain way. Continue Reading


Advanced Voting Solutions (AVS)


WINVote

AVS WINVote

The Advanced Voting Solutions (AVS) WINVote is a Direct Recording Electronic voting system with a touch-screen voting terminal equipped with a wireless local area network (LAN), a 15-inch full color screen with zoom capabilities, and built-in battery backup power, modem, and printer.  When operational in a live election environment, the WINvote terminal rests in a plastic voting booth/secrecy and transportation case.  It is designed as a stand-alone system to function both as a traditional precinct voting device and as a non-geographic voting station.

AVS WINVoteWINware is the election management software for the WINvote systems. WINprep is a software application designed to enable county election officials to perform all aspects of the election programming process.

WINresults is a comprehensive tabulation, accumulation and reporting system. The method of manual data transfer requires poll workers to transport the WINvote ballot station to the central tabulation facility or, if election procedures permit, the USB drive may be removed from the ballot station and transported via vehicle to the county central tabulation facility. During that process, however, other data including hardware, diagnostic test logs, ballot images, ballot cast logs, operational audit logs, ballot images, ballot cast logs, operational audit logs and use activity from the polling location are collected and stored in single USB type memory devices for archive and audit use. AVS uses 802.11b wireless technology in their voting system to open every voting machine to program ballots, this system “beams” the ballot via wireless networking.

AVS WinVoteVoting Process: After checking in at the polling place, the voter will approach one of the terminals. An election official will activate the machine.  The voter will touch the “Click Here to Start” button on the welcome screen, and the ballot-marking process will begin. The screen can be programmed to display one race at a time, with available choices listed below the race name, but most often multiple races will be displayed on the screen.  Write-in candidates can be selected by touching the “Write-In” button at the bottom of the choice list.  After making a selection, touch the “Next” button on the bottom of the screen.

When all selections have been made, the voter will be taken to a summary screen that lists that name of each race and the option that was selected by the voter.  If the voter wishes to change any of these races, he/she should simply touch the name of the race and make another selection. When the voter is satisfied with the summary screen, he/she should touch the red “Next” button on the bottom-right part of the screen. The next screen has a large red “VOTE” button.  After touching that button, the ballot has been cast.

Scantron 2260

WINScan: As part of their voting system suite, AVS offered the WINscan System for the tabulation of absentee ballots. WINScan Ballots are programmed from WINware, the same single-entry application software set that creates electronic ballots for the WINVote DRE. These ballots were then scanned by commercial off the shelf optical scanners produced by Scantron, Inc. Three Scantron models were sold by AVS as part of this system: Model 2260 (left) or 2800 and the larger Model 6500 which has multiple outstacking capabilities.

A Series of Pollworker Training Videos for the AVS WINVote were prepared by Fairfax County VA:

Security Concerns

Security Seals Ideally, the WINVote’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to
maintain chain of custody of sensitive materials.

Memory Card is Sensitive Corrupt memory cards can introduce viruses, cause the main election server to crash and falsify votes. Access to the MBB
memory card should be controlled, monitored and logged at all times.

Wireless Vulnerabilities The WINVote can be used in a wireless mode that involves individual machines talking to to other machines in each precinct. Wireless transmission of voter authentication and vote data can be very problematic and prone to error and malicious intervention. Moreover, there is evidence that the WINVote system operates over cellular frequencies (CDPD) as well as wireless data frequencies (802.11b) which considerably widens the possibilities of remote tampering.

References

Virginia Voting Machines Have ‘Vulnerability’ to Wireless Sabotage, CIO Journal 9/28/12

Advanced Voting Solutions WINware Voting System v.2.0.4 Test Plan Rev.2.0, EAC, 2007

Advanced Voting Solutions WINvote Re-examination, Pennsylvania Secretary of the Commonwealth, 2007

The End of the Line for AVS in Pennsylvania? VoteTrustUSA 2007

AVS WINVote Malfunctions 2003-2007, VotersUnite.org

Operation Ballot Integrity, Fairfax County Republican Committee, 2003


Alternate Format Ballot

ALTERNATE FORMAT BALLOT

In 2007, OakTree Digital contracted with the Oregon Secretary of State to develop and implement an accessible HTML-based ballot called the Alternate Format Ballot (AFB). Since then a Large Format Ballot (11” x 17”, 18pt font) has been added to the choices a voter has for ballot formats. A registered voter can receive an AFB (either the HTML version or the Large Print Version) by calling an elections official and requesting it. New registrants can indicate the need for an alternate ballot format (Braille, AFB, Large Print) when registering through the Oregon Centralized Voter Registration (OCVR) system.

Prior to an election, the county elections office typically generates a specific mailing (label generation) for these voters. The Large Print Ballots are generated, printed locally, inserted in standard ballot envelopes, and mailed to these voters in the same manner as standard ballots. Voters on the HTML AFB list still receive a paper ballot and the required envelopes.

UOCAVA Workshop Position Paper-Oregon Alternate Format Ballot -The HTML AFB is then sent directly to the voter via email or on a CD. The voter who has, or has access to, the necessary technology then completes the ballot independently and privately. The AFB has also been used to fulfill requests from military personnel or overseas voters who did not receive a ballot and need a ballot quickly to ensure timely return. Once received by the voter the AFB is accessed (opened) on a personal computer equipped with whatever technology they have available to access a browser (e.g. screenreader or screen magnification applications, sip-puff devices, joy stick, and the like). Using these devices a voter with a disability can access, mark, verify and print the ballot. The voter’s printed ballot (AFB ballot summary page) is then placed into the secrecy envelope and mailed just like any other ballot.

Each state election office in Oregon has at least two accessible computer stations (ACS) that are used to provide access to the AFB for voters with disabilities who do not have independent access to a PC. There is currently no process for electronically submitting the AFB ballot to the county or central ballot repository to provide direct tabulation of the AFB without the duplication process.


Avante Technology International


Vote-Trakker

Avante Vote-TrakkerAvante Vote-TrakkerThe Avante Vote-Trakker is a direct recording electronic voting system that can be equipped with a voter verified paper audit trail printer. Voters use a “smart card” called a Voter Identification (VID) card to initialize the machine. After voting, the voter inspects a paper printout of their vote behind clear plastic. The voter then either cancels the vote or approves it. When cast, the paper record of the vote is deposited into an attached ballot box and the electronic record of the vote is written to flash memory and a hard drive within the machine. At the end of the election, the contents of the hard-drive are written to a writeable CD-ROM. Finally, the attached ballot box and the CD-ROM are transported to a tabulation facility where the CD-ROMs from all precincts are read into a central tabulation computer and summed to produce an aggregate vote count.

Avante uses what is called a contactless, non-directional smart card. Respectively, this means that the chip inside the card is not exposed and it does not matter which way the card is inserted into the machine. The ballot style specifies the races in an election and can be specific to a precinct and, during a partisan primary, the voter’s political party. The card contains a 24 character randomly generated number that is used to connect the electronic ballot with the paper record.

Voting Process: After confirming the voter is registered, he or she is handed a “smart card” called a Voter Identification (VID) card to activate the voting machine. This allows the machine to vote once. A “smart-card” is a card the size and shape of a credit-card which contains a computer chip, some memory and basic data such as the voter’s ballot style.

Avante-vvpat-200 copyAfter using the touchscreen to vote, the Vote-Trakker can then print a paper record displayed under clear plastic to avoid manipulation. The voter inspects the printout for accuracy. If the vote is incorrect, the voter indicates so using the touchscreen and is given another chance to fix any mistakes after the paper record is deposited in a compartment in the machine for spoiled votes. If the vote is correct, the voter indicates so using the touchscreen and the machine prints a barcode on the paper record and drops it into the ballot box attached to the machine. At the same time, the vote is electronically recorded internally to flash memory and an internal hard drive as ballot images. At the end of the day, a poll worker with a special poll worker card closes each machine.

The contents of the hard drives in each machine are then written to a writeable CD-ROM (also called a CDR). The CDR can only be written once and cannot be changed afterwards. The CDR with the vote data and ballot box for each machine is delivered to a tabulation facility. At the tabulation facility, the vote data is read off of the CDRs from each precinct and fed into Avante’s tabulation software. What is done with the paper audit records varies highly by state and county.

A video showing the Avante Vote-Trakker:

Security Concerns

Security Seals. Ideally, the Vote-Trakker’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials. The Memory Card is Sensitive. Corrupt memory cards can introduce viruses, cause the main election server to crash and falsify votes. Access to the memory card should be controlled, monitored and logged at all times.

References

Avante Vote-Trakker Test Report, New York State Board of Elections, 2008

Avante Vote-Trakker Voter-verified Paper Record System Assessment, New Jersey Institute of Technology, 2007

Avante International Technology, Inc. Optical VoteTrakker v. 1.5.0 and Vote-Trakker Ballot Preparation and Tally Software v. 4.7.5, California Secretary of State (2004)

Avante California Consultant Report, 2004


Clear Ballot Group


ClearVote

newELECTION-scanner #4a_0
Clear Ballot produces the ClearVote 1.0 paper-based voting system that includes the ClearCount P1000 precinct optical scanner, the ClearAccess touchscreen ballot marking device, and ClearCount central count scanner, which uses a commercial off-the-shelf printers, typically Fujitsu fi-6800 high-speed scanners.

ClearAccess is an accessible ballot marking system that operates on unmodified off-the-shelf touchscreen computers. ClearAccess software records voters’ choices and prints machine-readable ballots that can be scanned and tabulated within the same processing stream as voter-marked ballots. ClearAccess outputs a marked paper ballot, similar to all other ballots in the election, which can be scanned on ClearCount central or the ClearCount precinct system.

TED Talk by Clear Ballot CEO Larry Moore:

Clear Ballot Scanner Operator Training Video prepared for the NY Board of Elections:

References
San Francisco RFI for Election Systems: Clear Ballot (2015)
ClearVote 1.0 Voting system State of Colorado Certification Testing (2015)
Colorado Clear Audit System Accuracy and Mark Sensitivity Testing (2014)


Danaher Controls


Shouptronic

Danaher Shouptronic 1242The Danaher Shouptronic (also known as ELECTronic) 1242 is a poll worker-activated full-face direct recording electronic voting system. Voters press the front of a mounted ballot (see rightmost image above) underneath which a touch-sensitive matrix of switches records choices. Poll workers activate the machine using an operator panel on the back of the machine to choose the ballot style and voters make choices by touching a numbered box next to their choice. When cast, voting records are recorded internally to eight memory locations: three banks of battery-powered RAM, three banks of EEPROM memory, one bank of EPROM memory and a removable memory cartridge, which contains both EPROM and EEPROM memory. When polls are closed, poll workers remove the memory cartridge that contains the vote records from each machine. These cartridges are then either physically transported to a tabulation facility or their contents transmitted over modem using a cartridge reading device.

Voting Process: When voters enter the precinct, poll workers confirm that they are properly registered to vote. The poll worker uses an operator’s panel on the back of the machine to choose the ballot style appropriate for that voter. The voter enters the curtains (see pictures at left above) and only the races for which they are permitted to vote are activated. The voter then votes by pressing a numbered box beside each choice in each race on the ballot. Flashing lights on the left-hand side of the ballot indicate races for which the voter has not yet voted. If the voter tries to choose more than one choice in a given race (over-voting), the machine will ignore the second choice. If the voter makes a mistake, they can press the numbered box again to deselect their choice; the indicator light will go out. The voter may then select the correct choice.

Danaher Shouptronic vote buttonWhen done voting, the voter presses a large green “Vote” button in the lower-right corner of the voting machine. It is very important that the voter does not push the vote-casting button until they are done voting; a vote inadvertently cast may not be redone. Once cast, the vote is recorded internally to eight internal memory locations: three banks of battery-powered RAM that reside on the machine’s central processor, two internal banks of EEPROM memory, one bank of EPROM memory and a removable memory cartridge, which contains one bank of EPROM and one bank of EEPROM memory. The vote records are stored in “vote tables” as aggregate vote tallies and also as ballot images both internally and to the removable memory cartridge.

When the polls close, the machines print out paper copies of the results and poll workers remove their memory cartridges, which contain the vote records from each machine. At this point, the cartridges are physically transported to a tabulation facility. At the tabulation facility, election officials use a cartridge reader to read the data off of the cartridges and into vote tabulation databases. The results are then combined to produce an aggregate vote tally. The printed total tapes and memory cartridges can then become part of the official record of the election.

A Shouptronic Voting Demo from Delaware:

A Shouptronic Voting Demo from Delaware County PA:

Background1

In 1984, Robert J. Boram filed for patents on behalf of the R.F. Shoup Corporation for a new voting machine that would be marketed as the Shouptronic. The Shouptronic was a full-face machine, using an array of push buttons behind a paper ballot label protected by a clear plastic sheet. As with the Microvote MV 464, the Shouptronic maintained a running vote count in its internal memory and included a printer to print the vote totals after the polls closed. The Shouptronic featured a memory cartridge similar to that used on the Optech I mark-sense ballot scanner, a machine that had come on the market only a year earlier. The cartridges of both machines used programmable read-only memory chips to hold election configuration information. Where the Optech I used battery-backed read-write memory to hold election results, the Shouptronic used a second programmable read-only memory chip.

Danaher Shouptronic CartridgeThe key property of programmable read-only memory or PROM is that once data is written to PROM, the data is difficult or impossible to erase. In contrast, data in read-write memory can be written, erased, and changed arbitrarily. In eect, the programmable read-only memory used in the Shouptronic cartridge has properties similar to the paper ballots retained by the Optech scanner or to the printed paper record of the Microvote machine. All of these machines maintained redundant but more vulnerable records in read-write memory. On the Optech machine, the read-write memory was in the memory cartridge, while on the Microvote and Shouptronic machines the read-write memory was a permanent part of the machine itself.

The Shouptronic was approved for sale in Pennsylvania in 1984, and the rst sales were made that year. By 1993, 11,000 Shouptronic machines had been sold. While Boram’s basic design for the Shouptronic has survived essentially unchanged over the years, the corporation that designed the machine is long gone. In 1989, Danaher Corporation acquired Guardian Voting, which had the rights to the Shouptronic. By 1999, the machine was being marketed by Danaher Controls as the ELECTronic 1242 voting machine.

Security Concerns

Security Seals Ideally, the 1242’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Memory Cards The 1242 is an older type of machine that uses a particularly sensitive and volatile type of memory (battery-backed RAM memory). Care should be taken with memory cards and they should only be handled by pollworkers and authorized election officials, then in controlled circumstances such as the opening and closing of polls.

Broken buttons, broken lights The 1242 is a “button-matrix” DRE where the voter presses a button over which the machine’s paper ballot face is placed (under a plastic cover). A light lights up next to each selection by the voter. These buttons and lights, especially the frequently used ones in Federal races, can break or burn-out. If you see evidence of this – e.g., a light not lighting up after multiple button presses – you should request that the machine be pulled from service or that the button in question be serviced.

Fleeing voters/premature voting Some voters can be easily confused in that they press the large “VOTE” button too early or not at all. If a voter complains that they only were able to vote on the first few races, they probably pressed the “VOTE” button before they were finished voting their ballot. Unfortunately, there’s not much to be done here other than emphasize that voters should make sure that they press the “VOTE” button only after they are certain they have voted as they want to in all races on the ballot. If a voter neglects to press the “VOTE” button and leaves a valid ballot on the machine, poll workers will probably have procedures to deal with this problem. We recommend that a poll worker reach in between the curtains and simply cast this vote.

Incorrect ballot style The 1242 can accommodate a number of different ballots, for different precincts, by disallowing voters to vote in contests for which they are not eligible. If a voter complains that their party (in a primary) races are not activated or that local races specific to their precinct are not activated, the poll worker probably pushed the incorrect ballot style option. The poll worker should cancel that ballot and activate the correct one.

References

Analysis of a Danaher / Shouptronic 1242 Electronic Voting Machine, Lehigh University, 2008

Did You Erase Your Vote?, Warren Stewart, Scoop (2005)

Review Physical and Operational Security of the Danaher Controls 1242 Electronic Voting Machine, New Castle County DE (2004)

Risk Assessment of Danaher Controls DRE Electronic 1242 Voting System and Philadelphia Procedures” The Philadelphia City Commissioners Office, March 9, 2004


DFM


Mark-A-Vote

Mark-A-Vote BallotThe DFM Mark-A-Vote is an optical scan paper ballot voting system that will be used in three California counties for the November 2012 elections. The system consists of a ballot/card reader and BCWin, the election management software. These readers come from several different manufacturers and come in several different versions differentiated primarily by their speed. Most of the certifications for these readers date from the 1970’s. There is no firmware version associated with these readers.

The ballot consists of multiple paper cards which are voted front and back.  Cards are added as required depending upon the number of contests. Voting the Mark-A-Vote ballot is accomplished at precinct locations by the use of a specially inked felt tip pen while the absentee ballot is marked by the use of a #2 lead pencil. Write in voting is performed directly on the ballot card in spaces provided immediately following the other candidate names for the office. A secrecy envelope is furnished in which to place voted ballots prior to depositing in the ballot box or the absentee ballot identification envelope.

BCWin is the election management software for the Mark-A-Vote. BCWin stores its audit logs in a separate directory from the election database. The vendor mentions 6 audit logs: Card Reader Logs, Transmission Logs, Application Log, Utilities Log, Main Server Application Log, and Client Workstation Counting log. It is not clear to me exactly where these are stored. Mark-A-Vote was approved for use by the California Commission on Voting Machines and Vote Tabulating Devices in June of 1981.

Voting Process: The Mark-A-Vote reader requires a specific pen, which will be provided by poll workers or, if you vote by mail, a #2 pencil. Ball point and other marking pens can not be seen by the Mark-A-Vote card reading machine; if you accidentally mark in pen, go over pen marks with a #2 pencil.

Carefully read your ballot, as it will tell you how many votes you may cast for each contest. Marking more voting spaces than allowed is called an “overvote” and causes none of your votes for that contest to be counted. Conversely, if you mark fewer voting spaces than allowed, all “undervotes” will be counted. You are not required to vote on every contest on your ballot.

Voters may decide to vote for someone who does not appear on the ballot by “writing-in” that candidate’s name in the space provided for a particular contest.


Dominion Voting Systems


ImageCast

Dominion ImageCastDominion ImageCast The Dominion Democracy Suite is a paper-based optical scan voting system consisting of three components: ImageCast Precinct, a precinct-based optical scan ballot tabulator, ImageCast Evolution, precinct scanner with optional ballot marking capabilities, and ImageCast Central, a high-speed, central ballot scan tabulator based on Commercial off the Shelf (COTS) hardware. The ImageCast Precinct ballot scanner and vote tabulator that is used in conjunction with ImageCast compatible ballot storage boxes. The system is designed to scan marked paper ballots, interpret voter marks on the paper ballot and store and tabulate each vote from each paper ballot. The ICP contains a small touch-screen LCD to allow the poll worker to access diagnostic and configuration settings. In addition, enhanced accessibility voting may be accomplished via optional accessories connected to the ImageCast unit. The ICP utilizes an ATI device to allow voters with disabilities to navigate and submit a voted ballot. This is accomplished by presenting the ballot to the voter in an audio format. The ATI is connected to the tabulator, and allows the voter to listen to an audio voting session consisting of contest and candidate names. The ATI also allows a voter to adjust the volume and speed of audio playback.

The ImageCast Evolution employs a precinct-level optical scan ballot tabulator designed to mark and/or scan paper ballots, interpret voting marks, communicate these interpretations back to the voter (either visually through the integrated LCD display or audibly via integrated headphones), and upon the voter’s acceptance, deposit the ballots into the secure ballot box. The unit also features an Audio Tactile Interface (ATI) which permits voters who cannot negotiate a paper ballot to generate a synchronously human and machine-readable ballot from elector-input vote selections. The ATI can also accept input from sip and puff and other personal assistive technologies. In this sense, the ImageCast Evolution acts as a ballot marking device. The ImageCast Evolution has a small LCD display screen to provide voters with feedback such as an overvote warning. There are two buttons, a square red button labeled “Return” and an oval green button labeled “Cast” that the voter uses to instruct the machine to return or cast ballots with errors, such as overvotes or ambiguous marks. When the polls close, the ImageCast prints out the race results and other information on a paper tape.

ImageCast Central Count scanner

The ImageCast Central is a high-speed, central ballot scan tabulator using a Canon DR-X10C Scanner (pictured) or higher volume Canon DR-7550C, coupled with the custom-made ballot processing application software. It is used for high speed scanning and counting of paper ballots.

Voting Process: 

1. The pollworker will give you a ballot specific to your district. The scanner will be able to distinguish what district the ballot is for by the timing marks on the edge of the printed ballot. You may also receive a privacy sleeve.

2. Using the pen provided by the pollworker, fill in the oval completely to indicate your selections.

3. The voting booth has four sections, allowing for up to four voters to sign in at a time. The lower section is wheelchair accessible.

4. When you have finished marking selections and reviewing your ballot, insert the completed ballot into the ImageCast scanner. If the ballot has been completely voted and the ovals are filled in correctly, the scanner will automatically cast the ballot.

5. While the scanner will notify you if you have over-voted, it will accept under-votes when all the contests or ballot questions have not been voted on. If there are ballot discrepancies, or the scanner can not read the ballot, the LCD screen will alert you to the error and/or the ballot will be returned.

 A Voting Demo produced by Warren County NY:

 A Demo of Poll Opening and Closing:

Security Concerns

Security Seals  The ImageCast ‘s exposed ports, memory card access areas, ballot box doors and case seams should be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances.

Ballot Box Access The ImageCast scanner has one ballot box with separate sections, one which receives ballots containing write-in votes. Each ballot box should be inspected by poll workers at the beginning of voting to make sure that they are empty. These ballot boxes should be locked and/or be sealed with tamper-evident tape and appropriate entries made in chain of custody logs.

Memory Cards are Sensitive Corrupt memory cards may introduce viruses, cause the scanner of main election server to crash, cause other problems that can result in incorrect vote tallies. Access to the memory card should be controlled, monitored and logged at all times. Tamper evident seals should cover access to memory cards and other ports, with entries recording the seal numbers made in chain of custody logs whenever seals are removed or reattached.

Correct Inks for Marking Ballots Some Optical Scan systems have trouble reading red inks or inks with red in them. Voters should only use the writing instrument provided at the polling place.

References

California Voting System Review: Dominion Democracy Suite 4.14-A.1 with Adjudication 2.4 voting system (2014)
Red Team Report
Source Code Report – Democracy Suite 4.14-A.1
Source Code Report – Adjudication 2.4

Voting System Qualification Test Report Dominion Voting Systems, Inc. Democracy Suite, Release 4.14.17, Version 3, Florida Division of Elections, 2015

Report on Dominion Voting System, Democracy Suite Election Management System 4.14, New Mexico Secretary of State, 2013

Usability Study of Dominion Voting Systems ImageCast and ImageCast with Ballot Marking Device, version 1.30/4.0

ImageCast Pollworker Manual, Madison County NY 2011

Final Test Report Dominion Voting Systems Democracy Suite 2.0, New York State Board of Election, 2008


Election Systems and Software (ES&S)


Election Systems and Software (ES&S) DS

ES&S DS850 Central Count ScannerThe ES&S DS850 is a high-speed, digital scan central ballot counter. During scanning, the DS850 prints a continuous audit log to a dedicated audit log printer and can print results directly from the scanner to a second connected printer. The scanner saves results internally and to results collection media that officials can use to format and print results from a PC running Election Reporting Manager. The DS850 has an optimum throughput rate of 400 ballots per minute and uses cameras and imaging algorithms to image the front and back of a ballot, evaluate the results and sort ballots into discrete bins to maintain continuous scanning.

 

ESS_Opscan_Instruction_GraphicPolling Place Voting Instructions

1. A poll worker will issue a paper ballot and direct you to a voting booth.

2. To select your candidate, use a pen to fill in the oval beside the candidate’s name you wish to choose.

3. After completing your ballot, check over each race to make sure you have marked the ballot as you intended. If you make a mistake, simply ask the poll worker for another ballot.

4. When finished making your choices, place your ballot in the ballot box. All ballots in your county will be counted at a central location after the polls close. Because your ballot is counted after you leave the polling place, you will not be alerted of any over-votes or under-votes.

IMPORTANT Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

An ES&S Demonstration Video of the DS850 can be viewed here.

References

Vulnerability & Security Assessment Report Election Systems &Software’s Unity 3.4.1.0, prepared for the California Secretary of State (2016)

ES&S Voting System 5.2.0.3 System Overview, Election Systems & Software for the Colorado Secretary of State, 2015

Report on the Examination of ES&S EVS 5.2.0.0 Voting System, Washington Secretary of State, 2014

ES&S Voting System 5.0.0.0 System Overview, Election Systems & Software, 2013

ES&S DS850 System Operations Procedures, Election Systems & Software, 2012


ExpressVote

ES&S ExpressVote

The ExpressVote is a universal vote capture device with an independent voter-verifiable paper record that is digitally scanned for tabulation by the DS200 or the DS850. This system combines paper-based voting with touch screen technology. The ExpressVote includes a mandatory vote summary screen that requires voters to confirm or revise selections prior to printing the summary of ballot selections using the internal thermal printer. Once printed, ES&S ballot scanners process the vote summary card. The ExpressVote can serve all voters, including those with special needs, allowing voters to cast ballots autonomously. ES&S has fully integrated the ExpressVote with the existing suite of ES&S voting system products. The ExpressVote capture device was certified to the 2005 Voluntary Voting Systems Guidelines by the Election Assistance Commission on July 2, 2014 as part of the ES&S EVS 5.2.0.0 voting system. The ExpressVote includes a touchscreen display, an audio-tactile interface, and an integrated card reader and printer. The audio-tactile interface includes three assistive technologies – two  position switches and a keypad. The ExpressVote system was designed to accommodate voters in the general voting population,   including voters with cognitive, dexterity, auditory and visual impairments.

expressvote_frontVoting Process: The ExpressVote is an electronic vote capture device designed for use by all electors. It features a touchscreen display and integrated thermal printer. Voters insert a blank paper activation card in the machine. This is the ballot. Voters have several options to make candidate selections. They may touch the screen or use the moveable keypad provided. The display includes various colors and effects to guide the voter. The voter may adjust the display contrast and text size in order to read the screen. Each key on the pad has both Braille and printed text labels designed to indicate function and a related shape to help the voter determine its use. Alternatively, voters may also use headphones to hear a recorded list of the instructions and candidates for each contest and then make selections by touching the screen, touching the keypad, touching a two-position switch, or through a sip/puff device. The voter may adjust the volume and tempo of the audio. The ExpressVote stores the choices in its internal memory. It can be programmed in multiple languages.

The machine provides a summary report for the voter to review his or her choices before the ballot is printed. Only the voter’s choices are printed on the ballot. The phrase “No Selection” appears under any contest in which the elector did not vote. Overvotes and crossover votes cannot occur on this equipment and a voter is warned about undervotes prior to the completion of voting.

Once the ballot has been marked and is provided to the voter, the ExpressVote clears its internal memory and the paper ballot is the only lasting record of the voting selections made. The voter may visually confirm his or her selections, or the ballot may be re-inserted into the machine and the voter selections summary report will provide an audio summary for voters with visual impairments. The voter proceeds to enter the ballot into the DS200 or a secured ballot box to be hand tabulated by election inspectors after the polls have closed. Ballots marked using the ExpressVote also may be tabulated using the DS850.

A video demonstration prepared for the November 2014 election in Fairfax County VA:

 Another video from Fairfax County VA:

References

ES&S ExpressVote Operators Guide, Election Systems and Software, 2014

ES&S EVS 5,2,0,0 Test Report, Election Assistance Commission, 2014

Idaho ExpressVote Procedures, Idaho Secretary of State, 2014

EVS 5200 Certification Report, Maryland State Board of Elections, 2014

ES&S EVS 5.2.0.0 & 5.3.0.0 Memorandum, Wisconsin Government Accountability Board, 2014

ExpressVote Usability Report, Clemson University and Election Systems and Software, 2014

EVS 5200 ExpressVote Election Day Checklist, Fairfax County Virginia, 2014


Models 150 550 &

ES&S Model 650

Election Systems and Software has produced several high speed optical scanners of which three models are currently fielded in US jurisdictions: Models 150, 550, and 650. The different models differ in speed; the 150 is slower, suitable for small counties and for processing absentee ballots that have been folded for mailing, while the 550 and 650 are faster, more appropriate for large counties. The most common high speed scanner in use in ES&S jurisdictions today is the Model 650. They are used exclusively for central counting ballots, either absentee ballots or ballots deposited by voters into polling place ballot boxes. In use, ballots to be counted are loaded on the tray to the right and then they are automatically fed through the reader mechanism and ejected into the output tray on the left. The scanner includes, within its body, a complete computer system, and it sits on a wheeled cart that also holds a printer and supplies.

Election workers program the Model 650 scanner for a specific election with an election definition from a Zip disk. After the polls close, poll workers transport ballots to a central count location where election officials scan the ballots. The Model 650 prints a continuous audit log to a dedicated audit log printer and can print results reports directly from the scanner to a second connected printer. The scanner saves results to a Zip disk that officials can use to format and print results from a PC running Election Reporting Manager. The Model 650 uses an OKI compatible dot matrix printer with a standard parallel input to print reports. In addition to the report printer, the M650 supports an additional audit printer. The scanner stops if either printer fails. If one printer fails, the audit log automatically switches to the working printer.

ESS_Opscan_Instruction_GraphicPolling Place Voting Instructions

1. A poll worker will issue a paper ballot and direct you to a voting booth.

2. To select your candidate, use a pen to fill in the oval beside the candidate’s name you wish to choose.

3. After completing your ballot, check over each race to make sure you have marked the ballot as you intended. If you make a mistake, simply ask the poll worker for another ballot.

4. When finished making your choices, place your ballot in the ballot box. All ballots in your county will be counted at a central location after the polls close. Because your ballot is counted after you leave the polling place, you will not be alerted of any over-votes or under-votes.

IMPORTANT

Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

 A Voting Demo from Arkansas:

A Video of the M650 tabulation process from Oregon:

Background1

Robert Urosevich and his brother Todd, an IBM salesman, formed Data Mark Systems to act as the marketing, sales, and service agent for the new Westinghouse ballot scanners, which were essentially standard test scanning machines. To demonstrate the capabilities of their new system, Westinghouse created the Scan-A-Van, a truck loaded with several of their scanners and the mini-computer needed to run them. The new system saw its rst test during the May 11, 1976 primary in Douglas County, Nebraska, under the glare of television lights. The test was deemed a success, and Douglas County became the first Data Mark customer. That November, Douglas County ballots were counted on three W600B scanners interfaced to a Hewlett-Packard 2100-series minicomputer and a line printer.

The W600B scanner could handle 600 pages per hour, and it had an automatic sorting mechanism that placed scanned pages into one of three output hoppers. Ballots that scanned normally went into a large hopper, while ballots containing write-in votes, timing and index marks in abnormal places, or overvotes were sorted into two smaller hoppers. In the central-count context, the ability to read ballots from many different precincts was important. Westinghouse understood this from the start, and designed ballots with a pair of code-tracks along the left edge that could be used to encode information such as precinct numbers. In effect, the code tracks were long skinny bar codes designed to be read by exactly the same kind of read heads that were used to read the votes on the ballots.

Even with their public success, sales of the Data Mark system were slow. Although they obtained California certification in 1976, their only customers four years later were Douglas and Sarpy Counties in Nebraska and Jefferson County, Missouri. Rock Island, Illinois, which used a Westinghouse ballot scanner for about six elections in 1981 and 1982, dealt directly with Westinghouse instead of going through Data Mark. From the corporate perspective of a large company like Westinghouse, educational testing was a small business, and ballot scanners were insignificant. With no immediate prospect of significant return on investment, there was little reason for Westinghouse to remain in the market.

AIS/ES&S Model 550For a small startup like Data Mark Systems, the story was quite different. Ballot scanners were their only business, and the lack of support from Westinghouse was frustrating. As Westinghouse backed out of the business, the Urosevich brothers and several key Westinghouse staffers formed a new company named American Information Systems to pursue the ballot scanner market. Their first product was the eccentrically numbered AIS 315 ballot scanner. The AIS 315 was developed largely by Jim Lane, a former Westinghouse employee. The 315 was in many ways a simplied successor to the W600 scanner. Weighing just under 300 pounds, the AIS 315 was the size of a small photocopier and designed to sit on a tabletop or on a heavy-wheeled cart. It could handle two-sided ballots printed on 80-pound legal-sized paper. The smaller and slower AIS 115 followed quickly in the marketplace.

AIS ballot scanners were certied for use in Ohio in 1982, New Jersey in 1983, Kansas in 1984, and Washington in 1985. These scanners and their successors have proven very durable. In Mississippi, for example, 12 counties purchased AIS scanners in 1987 and 1988 that were still in use in 2000. The ES&S Model 650 scanner shown at the top of the page is typical of the AIS family of scanners. This scanner is the direct descendant of the AIS 550 and the earlier 315. It uses essentially the same mechanism, but with updated electronics. Unlike the Westinghouse scanner with its multiple output hoppers, the AIS scanners feature extremely simple paper paths. When the scanner detects a misfeed or a ballot containing an overvote or a write-in vote it simply halts, displaying an explanation for the operator. It is up to the operator to pick up the problem ballot and deal with it appropriately.

References

Security Evaluation of ES&S Voting Machines and Election Management System, Department of Computer and Information Science University of Pennsylvania (2007)

Ohio EVEREST Review (2007)
ES&S Executive Summary
ES&S Technical Manager Report
ES&S Technical Details Report
Final Academic Report
Systest Technical Report

Security and Reliability of Webb County’s ES&S Voting System and the March ’06 Primary Election, Dan Wallach, 2006

ES&S Model 650 Central Ballot Scanner Operator’s Manual, Idaho, 2005

California Election Procedures Manual for ES&S Central Scanners (Models 550 and 650), 2004


Votomatic

VotomaticThe Votomatic was the last punch card voting system used in American elections. They were last used in 2 counties in Idaho in the 2014 General Election. Punchcard systems employ a card (or cards) and a small clipboard-sized device for recording votes. The Votomatic uses a standard-size IBM data processing card as a machine-readable ballot. There are a maximum of 960 ballot positions in 12 columns across the face of the card. The Votomatic ballot is pre-scored at each voting position so that punching with a stylus through that position into an appropriate backing will remove a rectangle of chad, leaving a hole that is counted as a vote. The backing used inside the Votomatic machine is a complex structure of elastomeric strips, and the stylus has a relatively comfortable handle on it. When used for absentee voting, a disposable styrofoam sheet is generally used as backing, and in some jurisdictions, the stylus for absentee ballots is an unbent paperclip.

Candidate names are not printed on the card but rather on the pages of the ballot holder, corresponding to the positions of the inserted card. A hole constitutes a vote for the candidate or referendum issue assigned to that position. With the Votomatic card, the locations at which holes may be punched to indicate votes are each assigned numbers. The number of the hole is the only information printed on the card. The list of candidates or ballot issue choices and directions for punching the corresponding holes are printed in a separate booklet.

The ballot card is held in proper alignment in the Votomatic machine by holes in the ballot stub that fit over pins at the top of the machine. When the ballot is inserted in the machine, the face of the machine completely covers the ballot, with the exception of small holes over those voting positions relevant to the current election. The pages of the ballot label are hinged to the face of the machine; when the book made up by the pages of the ballot label is open, one column of voting positions on the ballot is exposed. The ballot label mounted on the machine shown about is a replica of the first two pages of the notorious “butterfly ballot” used in Palm Beach County Florida during the 2000 general election.

Voting Process

The voter slips the ballot card into the holder and turns the pages exposing columns of ballot positions from left to right across the underlying card. When in the holder, the card is actually sandwiched between a plastic template with beveled holes to help center the stylus on the target position, and below the card, a system of slotted rubber strips through which chad are punched. Chad removed from the ballot card fall into a hollow part of the ballot holder.

After voting, the voter removes the ballot card from the ballot holder. The ballot may be tabulated with a card counter in the polling place, or collected and tabulated in a central location using card readers and attached computers. The reader senses which position on the ballot card have holes. These locations are reported to the software of the computer that summarizes the number of votes for each candidate.

Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

Background1

The standard punched card, originally invented by Herman Hollerith, was first used for vital statistics tabulation by the Baltimore Board of Health. After this trial use, punched cards were adopted for use in the 1890 census. Hollerith wasn’t working in a vacuum. His idea for using punched cards for data processing came after he’d seen the punched cards used to control Jaquard looms. IBM developed pre-scored punched cards and the Port-A-Punch card punch (left). In the early 1960’s, two professors at the University of California at Berkeley adapted this for voting. Joseph P. Harris, from the political science department, had the idea, and sought help from William Rouverol, of the mechanical engineering department. They made several improvements to the Port-A-Punch, patented them, and formed Harris Votomatic, Inc. to sell the result. After a large-scale trial at the Oregon State Fair, the system was used in primaries in Fulton and DeKalb Counties, Georgia; By the general election that fall, several counties in Oregon and California had moved to this new technology, and things looked promising enough that, in 1965, IBM bought the company.

The Portapunch was a pocket-sized handheld device that allowed a worker in the eld to record data directly onto pre-scored punched cards by pressing a stylus through holes in a template over the card. With no moving parts, aside from the handheld stylus and the resilient rubber backing strips behind the card, Portapunches cost only a few dollars each. When a student called Joseph Harris’s attention to the Portapunch, he very quickly saw the possibility of adapting it to voting. At the time, Harris was on the faculty of the University of California at Berkeley. Working with William Rouverol, a mechanical engineering professor, Harris transformed the Portapunch into what became the Votomatic. Harris received his rst Votomatic patent in 1965, and a patent on a refined machine in 1966.

In converting the Portapunch into a voting system, Harris and Rouverol incorporated the mechanism that had been a hand-held clerical device into the table-top of a lightweight voting booth, added a registration system to help align the ballot card for punching, and, most signicantly, developed a way to pack the text of a complete general election onto a label that would t over IBM’s standard 3 1/4 by 7 3/8 inch punched card ballot. The trick was to arrange the ballot label as a booklet. Opening the booklet to any page exposed one of the 12 columns of the punched card in the space between two pages of the booklet. Those two pages could then be used to describe up to 40 punching positions in that column, although most ballots used far fewer than this maximum.

The Votomatic had three things going for it. First, it was cheap. Lever voting machines could cost thousands of dollars, but IBM sold the injection-molded Votomatic for only $185 in 1965. It was inexpensive to store and transport as well. Lever voting machines could weigh close to a half ton, but a Votomatic machine weighed only 6 pounds. The second advantage was one of technology. Voting on punched cards brought elections into the computer era. Unlike lever voting machines, if there was doubt about the integrity of an election, the ballots could be recounted. Ballots were separate, so there was no record of the order in which votes were cast, and vote counting was done by fast objective machinery, so ballot handling was minimized. To many observers in the 1960s and 1970s, the Votomatic system really did appear to be close to ideal.

With its high-tech appeal and low price, the Votomatic became the single most widely used voting system in the United States. Several states adopted the system statewide, among them Illinois, and it was very popular in large urban areas such as Miami and Los Angeles. By 1980, over 29% of U.S. voters were voting on Votomatic-style punched-card ballots, using systems provided by almost a dozen vendors. By 1992, the Votomatic system was the dominant voting system in the United States, used by 27% more voters than used mechanical lever voting machines. By this time, newer electronic voting technologies were becoming strong competitors, but they represented a much smaller market share.

 

A noteworthy consequence of the shift from lever machines to the Votomatic system was a shift from precinct-count to central-count ballot tabulation. With lever machines, the totals for each precinct could be announced and recorded by election observers at the precinct immediately after the polls closed, while with the Votomatic, no results were known until the ballots had been transported to the counting center and tabulated.

The public outcry after the election of 2000 led Florida and several other states to abandon Votomatic technology, but it remained in use in Ohio, Illinois and several other states until the Help America Vote Act of 2002 (HAVA) effectively banned pre-scored punched card ballots. As we discuss in Chapter 6, HAVA was passed after serious problems with newer electronic voting systems cropped up in Florida’s August 2002 primaries. Among other things, HAVA gave the states 4 years to replace all lever and punched-card voting machines with newer equipment.


Model

The ES&S Model 100 is a precinct-based, voter-activated paper ballot counter and vote tabulator that uses visible light scanning to count and record voter information from paper ballots. The first machine to incorporate integrated-circuit image sensors into a ballot tabulator was the American Information Systems PBC 100 scanner, later known as the Model 100. The system, which came on the market just as AIS was reorganized into ES&S in the late 90s, uses an Intel 80386 microprocessor to process the data from the image sensor. It reads the election configuration from a PCMCIA memory card before opening the polls. When the polls close, it records the results to the memory card and optionally transmits them by modem to the election office.

The Model 100 uses a mark-sense ballot, which may vary from one column to three columns across a ballot 8.5 inches in width, and from 14 to 21 inches in length. Each column of the ballot consists of one or more contests, each with one or more candidate or measure selection positions. The ballot may be printed on one or on both sides. Adjacent to each candidate or issue selection position is printed an unfilled oval. The voter uses a marker to fill in or darken the oval. Several types of marking devices are suitable for use with the Model 100. A carbon ink-based felt-tip marking pen which produces a mark of adequate reflectivity is the preferred marking instrument in the polling place. The reflectivity specifications of such markers, as well as the manufacturers thereof, are available from ES&S. A Number 2 lead pencil can also be used. The Model 100 precinct-based ballot tabulation unit is intended for polling place use. It is a portable device which measures approximately 14.25 inches wide, 16.25 inches deep, and 5 inches high. Its exterior is constructed of high-impact plastic. The unit weighs 19 pounds, 7 ounces with the battery included. The Model 100 is secured into its companion three-compartment ballot box. The ballot box comes in two variations – one metal and one plastic – that is collapsible and is equipped with wheels. In the operational mode, the ballot box is 35 inches high, 20.75 inches wide and 25.25 inches deep. In its nested or transportable mode, ballot box dimensions are 20 inches high, 21 inches wide and 25.5 inches deep.

Voting Process: The voter places a voted ballot into the ballot entry slot, which causes the drive motor to be energized, and the ballot is taken into the device for processing. After the ballot has passed through the read station and the voting marks on it have been interpreted, it is placed into the ballot box or it is diverted to one of two compartments in the ballot box as determined by the jurisdiction using the device. The front face of the Model 100 contains a four-line, 40-character per line LCD message display area. During polling place operation, the LCD continuously displays the number of ballots which have been processed since opening the polls that day. The Memory Card is secured within the Model 100 by a sealed security clip attached to the locked front face-plate on the unit. The short, 3-inch read path of the Model 100 virtually eliminates ballot jams. All voter/precinct worker communication is done via the LCD message area in full alphanumeric text.

Prior to use in any election, the Model 100 must be put in readiness to process ballots for that election via ES&S-supplied election preparation and ballot tabulation application software. This software describes the offices, measures and voting response positions on each precinct’s ballots. It describes the number to be elected to each office, the results to be accumulated, the statistics to be accumulated, the reports and messages to be printed, the selection of ballot path and striping options, and other parameters of a specific election. This software transfers or downloads these parameters, which are precinct or ballot style specific, to the Model 100 via a Memory Card.

The Memory Card is a reusable PCMCIA intermediate storage device which contains the election-specific information required to process and tabulate precinct-level ballots for a given election. The Memory Card serves as a medium for the temporary short-term storage of this data before it is read into the Summary System. Once this data is uploaded, and subsequently certified during the Official Canvass process, the Memory Card may be cleared of totals and be made available for future elections. If required, the election can be reconstructed from original ballots and the Model 100 Memory Card-produced Precinct Election Result Tapes.

A video demonstration of the Model 100:

Voting on an ES&S Model 100 Ballot:

Security Concerns

Security Seals Ideally, the M100’s exposed ports, memory card access areas, ballot box doors and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Ballot Box Access Optical scan systems have at least one and possible more ballot boxes. Each ballot box should be inspected by a voter at the beginning of voting to make sure that they are empty. These ballot boxes should locked and/or be sealed with tamper-evident tape.

Memory Card is Sensitive Corrupt memory cards may be able introduce viruses, cause the main election server to crash and falsify votes. Access to the memory card should be controlled, monitored and logged at all times.

Correct Inks Some Optical Scan systems have trouble reading red inks or inks with red in them. Voters should use the writing instrument provided at the polling place or, if voting at home, black ballpoint pen that does not bleed through paper.

Keys The keys for the M100 are the same for all M100 machines and are easily pickable with readily available tools. Care should be observed around the ballot box lock and the scanner key lock (turns the system off and on).

Counterfeit Ballots It is fairly easy to frustrate the counterfeit ballot detection mechanism on the M100. People who produce counterfeit ballots could cast multiple votes and the detectability of these ballots would only depend on how close they appeared to be like the real ballot cards.

Background1

In the 1980s, the advent of simple one-dimensional sensors spawned a revolution in such applications as fax machines and page scanners. The first machine to incorporate this technology into a ballot tabulator was the American Information Systems PBC 100 scanner, later known as the Model 100. The system, which came on the market just as AIS was reorganized into ES&S, uses an Intel 80386 microprocessor to process the data from the image sensor. It reads the election configuration from a PCMCIA memory card before opening the polls. When the polls close, it records the results to the memory card and optionally transmits them by modem to the election office. As such, the PCMCIA card serves the same purposes as the memory pack used on the Optech I scanner.

References

EAC Formal Investigative Report on ES&S Unity 3.2.0.0, 2011

Ohio EVEREST Review
ES&S Executive Summary
ES&S Technical Manager Report
ES&S Technical Details Report
Final Academic Report
Systest Technical Report


DS

The ES&S DS200 is a precinct-based, voter-activated paper ballot counter and vote tabulator.  The DS200 possesses a 12” LCD touch screen, which is used to provide voters with feedback, such as an overvote warning. When the polls close, the ES&S DS200 prints out the voter logs so election officials can have a paper tally. Like the Hart Intercivic eScan, the Dominion ImageCast and the Premier/Diebold OSX, the DS200 captures digitized images of all ballots scanned. This allows write-in votes and problematic ballot markings to be processed using the digitized images, so that once the ballots are scanned, they need not be handled except in the event of a recount or audit.

DS200The DS200 is a jurisdiction-wide election tabulation system. The DS200 scanners process single or dual-sided paper ballots for up to 18 Election Day precincts and 1639 Early Voting precincts, permit programming of separate election groups for the procedural processing and storage of provisional ballots separately from Election Day totals for inclusion, after determination of voter validity, automatically prints a Zero report when the polls open, can be configured to automatically print one or more reports (Status, Race Results, Certification or Audit Log,) have a public counter that displays the number of ballots cast, store paper ballots in attached ballot storage bins (key locked ballot boxes), and do not store any ballot data; all ballot data, election totals and optional ballot images are stored on an external USB flash drive which can be transported to a central count location. The Ds200 prevents access to the USB election flash drive via a key locked compartment. It prints reports including: Election Startup, Poll Closing, Diagnostic, Initial State, Audit Log, Zero and Certification and audit logging and reporting; The Ds200 operates on standard or two hour back-up battery power.

DS200 source code consists of C/C++ components. The ESSUNITY3200 baseline was modified during the Unity 3.2.1.0 EAC test effort. A total of 651 functions were changed. Each of the changed functions was reviewed by the EAC for conformance to the VVSG 2005. There were 42 instances of non-conformance reported to ES&S. ES&S submitted fixes and they were validated as resolved. All source code discrepancies were comment related. None of the discrepancies were against any of the software related VVSG 2005 requirements. The file function line count results identified no files or functions exceeded 240 eLOCs, 3.47% were between 60 and 120 lines, .23% were between 120 and 240 lines, the remaining 96.30% were less than 60 lines.

Voting Process:  After receiving your ballot from the election officer, fill in the oval located next to your selection for a candidate or choice of an issue. When you have finished filling in your ballot, you will feed your ballot into the DS200 machine.

As votes are entered, the DS200 stores the vote tallies on its internal memory card. Optional land line and wireless modems are available for the DS200.  When the polls close, the DS200’s internal printer prints out the precinct’s vote report on paper.

Common ballot problems occur when voters vote for too many candidates in one race or when voters cast their ballots in the wrong precinct. Make sure you read your ballot carefully and understand how many candidates to vote for.

If you have a question, please ask a Poll Worker. If you make a mistake on your ballot, return it to a Poll Worker and ask for a new one. You can request up to two replacement ballots. Be sure to double check your ballot for accuracy, as improperly marked votes will not be counted. Once your ballot is scanned and accepted, your vote is final.

 

A DS200 Voting Demo produced by ES&S:

A Voting Demo produced by Cuyahoga County OH:

Security Concerns

Security Seals Ideally, the DS200’s exposed ports, memory card access areas, ballot box doors and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Ballot Box Access Optical scan systems have at least one and possible more ballot boxes. Each ballot box should be inspected by a voter at the beginning of voting to make sure that they are empty. These ballot boxes should locked and/or be sealed with tamper-evident tape.

The Memory Card is Sensitive Corrupt memory cards may be able to introduce viruses, cause the main election server to crash and falsify votes. Access to the memory card should be controlled, monitored and logged at all times.

Correct Inks Some Optical Scan systems have trouble reading red inks or inks with red in them. Voters should use the writing instrument provided at the polling place or, if voting at home, black ballpoint pen that does not bleed through paper.

Unresponsive Touchscreens1 During EAC testing on the Unity 3.2.1.0 voting system, some DS200s stopped responding to interactions with the user interface. The anomaly presented itself at random times during the testing process. ES&S informed the EAC that the root cause of touch screen unresponsiveness is linked to an improperly implemented internal system log. This log is only accessible to ES&S technicians when troubleshooting errors with the fielded system. One specific event tracked by this log is the presence of the election media USB memory stick. If the unit is powered on without a memory stick inserted, the system records an event eight (8) times per second to the log. When the log reaches capacity, it causes a section of the internal compact flash (CF) card to become inaccessible. This same section of the CF card contains the calibration settings for the DS200’s touch screen interface. When this section of the CF card is inaccessible the calibration settings are no longer available to the system so the screen becomes unresponsive.

Skewed Ballots 2 During testing on the Unity 3.2.1.0, a DS200 did not count a valid mark for a race. The anomaly was discovered when county testers reviewed the printed election summary report for the DS200 unit. The count for a single contest did not match the expected results. The test was performed to verify that ES&S had corrected a previous anomaly with similar symptoms. The county testers were using a 17” ballot with contests concentrated in the lower sections of the ballot. In discussion with the EAC, ES&S stated that they have only been able to replicate this issue in testing by removing the plastic guides and physically altering the ballot (cutting of a corner). In an effort to understand the issue the EAC focused on reviewing ballot images from several states and  previous test campaigns. The review included 11”, 14”, 17” and 19” ballots. In the course of the review, the EAC found various degrees of ballot image distortion; with the 17” ballot having the largest degree of skew. The EAC is working with jurisdictions, VSTLs and the manufacturer to understand and resolve this issue.

During the EAC Certification process3  it was revealed that a DS200 coded for Election Day counting will not support more than 18 precincts, the DS200 does not support more than 40 ballot styles in a single absentee precinct in a ballot by-style election. If an election definition contains more than 40 ballot styles, the user has to define more than one absentee precinct and then separate the ballots into groups for processing. In addition, all optical scan ballots used in a given election must be the same size and have the same position capacity, an early vote station will only support a maximum limit of 9999 precincts meaning that a large number of precincts may result in small ballot processing delays, and an early vote station will not be able to print a precinct-by-precinct report by default.

References

Vulnerability & Security Assessment Report Election Systems &Software’s Unity 3.4.1.0, prepared for the California Secretary of State (2016)

EAC Formal Investigative Report on ES&S Unity 3.2.0.0, 2011

ES&S Unity 3.2.0.0 Rev. 1 Voting System Certification Test Plan for DS200 Modifications to the EAC Certified ES&S Unity 3.2.0.0, 2010

ES&S Unity 3.2.1.0 VSTL Certification Test Report for testing completed by iBeta, November 29, 2010

Why the New ES&S Digital Scanner Should Not Be Certified, Florida Fair Elections Coalition, 2009


AutoMARK

AutoMARK Ballot MArking DeviceThe AutoMARK Voter Assist Terminal (VAT) is an optical scan ballot marker designed for use by people who are unable to personally mark an optical scan ballot due to physical impairments or language barriers. Originally patented by Eugene Cummings in 2003 and developed by Vogue Election Systems, the AutoMARK ballot marking device received certification to the 2002 VSS in 2005 and later changed its name to AutoMARK Technical Systems. ES&S announced its purchase of AutoMARK Technical Systems on January 28, 2008. While the AutoMARK is most often used in configuration with optical scanners manufactured by ES&S, it is also used together with scanners from Sequoia and Premier/Diebold in some jurisdictions.

The AutoMARK is a hybrid of several devices: a scanner, printer, touch screen display, and input device. The data for a given election is stored on a compact flash card. Using the system software, an election official is able to convert election data created for use in the AutoMARK. During this process it is also possible to customize the election data, including adding translations or phonetic pronunciation of difficult names for use with the synthesized speech. Once the flash card has been programmed, it is inserted and locked into the AutoMARK. Secure electioneering is verified by a special program that fills in each oval on a ballot along with the candidate’s name.

Accessibility features include a touch screen with a zoom and contrast feature, multiple language translation, keypad marked with Braille, puff-sip interface as well as an audio ballot feature. The AutoMARK prevents over-voting and users are prompted visually and audibly if they attempt to under-vote. Undervoting is allowed only after the user is prompted unless otherwise required by the election jurisdiction. Before any mark is made on the ballot, the voter is shown a verification screen where each race is displayed along with their selections. Under-voted races are clearly identified by different colors on the touch screen as well as the audio ballot prompt. The AutoMARK marks the optical scan ballot for the voter including any write-ins. For voter verification purposes, the user may also re-insert their marked ballot in order to verify that their intent was accurately captured. In the event of a mis-marked ballot the voter may spoil the ballot, obtain a new ballot and restart the voting process.

AutoMark1

Voting Process:  When a voter inserts their ballot into the AutoMARK VAT, it searches for a match to the precinct identification code found on each ballot and used by industry standard optical scanning devices. The voter is then prompted to select the language in which they wish to vote and is able to carry out the voting process using the touch screen, a puff-sip device, or by following audio prompts along with a keypad. Additionally, there is a screen privacy option voter so that visually impaired users can be assured that their voting remains private.

During the voting process, over-voting is not allowed. The user is also prompted anytime they attempt to under-vote, and may select to continue with the under-vote or re-vote the contest in order to properly capture their intentions. Before any mark is made on the ballot, the user is shown a verification screen where each race is displayed along with the users’ selections. Under-voted races are clearly identified and the user is given the option to return and modify any race they choose.

The ballot is then printed, along with any write-ins, and returned to the user. For voter verification purposes, the user may also re-insert their ballot, after printing is complete, in order to verify that their intent was captured. If not, they may simply follow jurisdiction-specific ballot spoiling procedures and restart the voting process.

A video demonstration prepared for 2010 elections in Toronto:

 Pollworker Training Video produced by Pinellas County FL:

Security Concerns

Security Seals Ideally, the AutoMARK’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

System Crashing The AutoMARK can often crash when the ballot is being inserted and read and results in the system hanging with the inserted ballot stuck in the feed bath. Poll workers should reboot crashed machines and perform the “Eject Ballot” operation.

Boot-up Times The AutoMARK, especially the A100 model, can take up to 15-20 minutes to reboot. If rebooting happens often, this can severely affect voters who require the AutoMARK to cast a ballot.

“Ballot Not Recognized” or “Ballot Misfeed” Errors In California State testing, 6-8% of the time the blank ballot inserted into the AutoMARK by a would-be voter was not recognized by the machine. Usually, in the California testing reinserting the ballot would not reproduce this error. When the voter inserts a blank ballot with a slight skew, so that it’s not aligned properly, the AutoMARK may return the ballot and report a “Ballot Misfeed” error. Re-inserting the ballot should work to allow the ballot to be read.

Ballot Damage Occasionally, the AutoMARK will severely damage a ballot when it ejects the ballot. Most often, this results in a ballot that cannot be fed into the corresponding optical scan reader. The ballot should be reissued and the voter should go through the AutoMARK marking process again.

References

Uniform Ballot and Voting System Procedures (M100 & AutoMARK), Montana Secretary of State, 2012

ES&S Unity 3.0.1.1 Accessibility Review, California Secretary of State’s Top to Bottom Review, 2008

California Review of the ES&S AutoMARK and M100, Dan Wallach, Freedom to Tinker, 2008

ES&S Unity with AutoMARK Source Code Report, California Secretary of State’s Top to Bottom Review, 2007

Red Team Report, California Secretary of State’s Top to Bottom Review, 2007

ES&S System Technical Details Report, Microsolved Inc., EVEREST review, 2007

Voting System Security Review: Hart InterCivic eSlate, Diebold TSx/GEMS, AutoMARK/ES&S 100, Michael Shamos, 2006

Limited-Scope User Acceptance Test Results of the AutoMARK Vote Assist Terminal” in Wake County, InfoSENTRY, 2006

ES&S AutoMARK Pre-Election Day Checklist


iVotronic

ES&S iVotronicThe ES&S iVotronic is a direct recording electronic voting system with a touch screen interface that records votes on internal flash memory. A poll worker uses a device called a Personal Electronic Ballot (PEB; pictured above at left) to turn the machine on and enable voting. Voters choose their ballot language and then make their selections using a touch screen, much in the same way that modern ATMs work. When the polls close, poll workers move summary data from each machine onto the PEB. The PEBs are then transported to election headquarters or their contents transmitted via a computer network.

The iVotronic uses two distinct types of iVotronic terminals, distinguished by colored inserts along the sides: red supervisor terminals and blue voter terminals. Both types of iVotronic terminals are activated using PEBs, which are also used to store ballot definitions and election results. PEBs are typically programmed via a supervisor terminal at the start of an election, and read using either a supervisor terminal or a dedicated PEB Reader connected to the machine running the Election Reporting Manager at the end of an election. A PEB can be used in multiple iVotronics as long as they are qualified for the same election and polling place. The voter iVotronics also use Compact Flash cards to store large ballots, audio ballots, and election result audit files. A separate Communication Pack is connected to iVotronic terminals at the start and end of elections to print zero count tallies and precinct results on a separate printer with removable paper.

RTAL_2Checking the Voter-Verifiable Paper Trail: The iVotronic has an optional voter-verifiable paper trail printer, known as the Real-Time Audit Log (RTAL). States such as Ohio, West Virginia, and North Carolina require the RTAL by law, while iVotronics in South Carolina, Texas, and Pennsylvania do not have this option. The RTAL printer is a reel-to-reel cash-register type of printer under transparent plastic, and is located just to the left of the touch screen (pictuted above right). The RTAL records all of the voter’s actions, so if a voter changes her mind about a race on the ballot, the RTAL records both the initial choice and the final choice.

While all other voter-veriable paper trail schemes wait to print the paper record until the voter has completed the entire ballot, the ES&S RTAL prints each selection at the time it is made. Thus, whenever a voter touches the screen to select a candidate, the printer immediately prints that selection. The advantage is immediate feedback to the voter, if the voter happens to watch the printout. The disadvantage is that in the event the voter makes any changes, all the voter’s previous selections have been retained. In a recount or audit of the paper records, only the last vote recorded for each race should be counted. The inclusion of prior selections can make ballot verification of RTALs challenging for voters, and manual counting of RTALs even more difficult for election officials.

The RTAL also does not provide the voter with the opportunity to review all their selections on the paper record at the end of the voting process, as by that point the paper has spooled out of view. With this system it is important that the voter check the paper record throughout the voting process.

Voting Process: When the voter enters the polling place, a poll worker first confirms the voter is registered. Then the poll worker walks with the voter to an iVotronic and inserts the PEB in the PEB slot (visible as the rectangular slot in the upper left corner of the middle image above). The PEB communicates with the iVotronic using infrared signals, much like a TV remote control works, except that the PEB and iVotronic will not communicate unless the PEB is completely inserted. If the election requires a party-specific ballot, the poll worker chooses this for the voter. Activation by the PEB enables the iVotronic to vote once.

The voter then selects a ballot language and makes decisions using the touchscreen. When the voter is done, he or she presses a small “vote” button at the very top of the iVotronic to cast the vote. The vote is then recorded to three internal flash memories that reside inside the machine. A fourth memory is a removable card, called a “compact flash” (CF) card; note that CF is the same technology used in many digital cameras to store photos. During the election, the CF card holds audio files (for those with visual disabilities) and ballot definitions; vote data is written to the CF card when the machine is closed.

A poll worker closes the polls by using the PEB with a password to enter a supervisor menu on each iVotronic. After closing the election for a given machine, summary vote data is transmitted to the PEB via infrared signals. After the PEB is used to close all the iVotronic machines, it contains all the summary data for the precinct. Depending on local regulations and procedures, poll workers can use a “printer kit” at this point to print the result summary from the PEB on to paper. The PEB for that precinct, any printouts and the CF cards are then either physically transported to a central tabulation facility or its contents sent over a computer network using a laptop running ES&S’ Unity software.

A Voting Demo of the ES&S iVotronic

A Voting Demo produced by Escambia County FL:

Security Concerns

iVotronic_PEBThe PEB slot on the face of the iVotronic is particularly sensitive. The EVEREST study showed that a voter with a magnet and a properly programmed PDA (with an infrared port) could gain privileged access to the sensitive functions of the machine. If you see anyone spending a long time in an iVotronic voting booth and engaging in activity that appears to be centered around the upper-left part of the iVotronic, they might be messing with the PEB slot.  Of course, they might also just be voting, so don’t cry wolf.

The VVPAT printer (RTAL printer) is connected to the iVotronic via a cable that is connected to the top of the machine. This cable, unless the jurisdiction has purchased special cables or connectors, can be disconnected by a voter and various types of mischief could be performed (from printing extra VVPAT records to messing with the internals of the iVotronic). If you observe anyone disconnecting this cable, alert the pollworkers immediately. If a pollworker is disconnecting this cable, it should only be to swap out a printer and you should be able to observe the whole process.

An attacker who gains access to a PEB for a short or extended period of time can change votes on the PEB or attack the central Election Management System when the PEB is returned to election headquarters. PEB devices should only be handled by pollworkers and pollworkers should keep a vigilant watch over their use of the PEBs throughout the day (that is, they should not be leaving them around casually and the area in which the PEBs are kept should be secure and monitored at all times).

Background1

Votronic

The Votronic

Shelby Thomas, president of a small Virginia election services company Election Products Inc., had the idea for the machine in the early 1990’s. He took his idea to a local engineering consulting rm, ILJ Corporation, of Richmond. By 1993, John Davis, president of ILJ, had delivered a prototype, and Davis and Thomas applied for a patent the next year. The Votronic included an innovative new cartridge, the Personal Electronic Ballot (PEB), used to communicate setup information to the machine before the election and to accumulate results at the close of the polls. The PEB was not a passive memory device; rather, it was a small computer system, not much larger than a pack of cigarettes, containing a battery, a microcontrollery, and non-volatile memory. When inserted in its dock on the front of the Votronic, the PEB used infrared light to establish a very short-range network connection with the machine. The developers thought of the PEB as the electronic analog of a ballot; they viewed the machine in the voting booth as the electronic analog of a pencil for marking the ballot. The inventors intended the poll workers to hand PEBs to voters as they signed into the polling place. In practice, pollworkers usually escorted each voter to the machine and used the PEB to activate the machine, before turning it over to the voter.

Shortly after Election Systems and Software (ES&S) was formed by the merger of American Information Systems and Business Records Corporation, ES&S acquired the rights to the Votronic. With its national sales and marketing force, ES&S gained immediate traction selling the system, and it began to invest in updating the design, redesigning the packaging, and adding features supporting broader access for voters with disabilities. The new system was sold as the iVotronic, but in dealings with states that had already certi ed the Votronic, ES&S emphasized that the changes were cosmetic. New Jersey did not even require recerti cation of the new package.

References

Unsafe for Any Ballot Count: A Computer Scientist’s Look at the ES&S iVotronic in Light of Reports from Ohio, California, and Florida, Duncan Buell for the South Carolina League of Women Voters, 2008

Ohio EVEREST Review 2007
ES&S Executive Summary
ES&S Technical Manager Report
ES&S Technical Details Report
Final Academic Report
Systest Technical Report

Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware, SAIT Lab, 2007

Security Evaluation of ES&S Voting Machines and Election Management System, Adam Aviv et al,USENIX, 2007

Security and Reliability of Webb County’s ES&S Voting System and the March ‘06 Primary Election, Dan Wallach, 2006

Douglas W. Jones Miami-Dade Recommendations, 2003


InkaVote

InkaVoteOriginally developed by Unisyn Voting Solutions and now distributed by Election Systems and Software, the InkaVote and InkaVote Plus system consists of the InkaVote Precinct Ballot Counter (PBC) and Unisyn Election Management System (EMS). The PBC is based on a standalone lottery ticket machine design developed by the International Lottery & Totalizator Systems, Inc. (ILTS). The InkaVote ballot is a mark sense ballot based on the design of a Hollerith (IBM) punch card. Ballot identification data is pre-punched in the leading columns. The InkaVote system is used in Los Angeles County, CA and Jackson County, MO.

The InkaVote voting system has been used in Los Angeles County since 2003. InkaVote replaced the former Votomatic punch card voting system, used since 1968, following the decertification in 2002 of all voting systems in California based on pre-scored punch card voting technology. InkaVote employs a voting method similar to Votomatic but replaces prescored punch cards with optical scan ballots printed on the same sized 312 format ballot card. The InkaVote is patterned after the Votomatic device and is used for holding the ballot card and vote recorder pages. However, the diameter of each voting position hole in the plastic template has been widened to ¼ inch in order to accommodate the use of an ink marking device for marking voting choices. The 312 vote position ballot card is virtually identical except the vote positions are not pre-scored for punching out, but are instead pre-printed circles with 312 voting positions for recording votes in ink. The ballots used for absentee voters by mail have larger target circles than the ballots used at the polls in the vote recorder.

Los Angeles County’s previously certified Microcomputer Tally System (MTS) version 1.3.1 with the front end Election Tally System (ETS) and Automated Ballot Layout (ABL) system will continue to be used for election data collection, vote tabulation and related functions. The L.R. Computer Company card readers, 36 of which are used in Los Angeles County, were previously certified by the Secretary of State with a modified read head for reading optical scan marks. The electronic image sent from the card readers is identical to punch card electronic images; therefore, the tally interface routines do not change. Since the vote image data is the same, the MTS tally, reports and logic do not change.1

InkaVote PlusThe InkaVote Plus PBC unit (left) may be equipped with an optional component called the Audio Ballot unit, which provides support to assist visually blind as well as other voters who need an audio ballot. The Audio Ballot unit consists of a keypad, earphones and printer, and does not include a visual display for the voter of the ballot. This unit uses an audio ballot script, which guides the voter through voting and prints a marked InkaVote ballot. The voter may then insert the marked ballot into the PBC unit, which checks for overvotes and blank ballots.

The InkaVote employs a voting method similar to Votomatic punch card voting system but replaces prescored punch cards with optical scan ballots printed on the same sized 312 format ballot card. The InkaVote voting device (unit) is patterned after the Votomatic device and is used for holding the ballot card and vote recorder pages. However, the diameter of each voting position hole in the plastic template has been widened to ¼ inch in order to accommodate the use of an ink marking device for marking voting choices. The 312 vote position ballot card is virtually identical except the vote positions are not pre-scored for punching out, but are instead pre-printed circles with 312 voting positions for recording votes in ink. The ballots used for absentee voters by mail have larger target circles than the ballots used at the polls in the vote recorder.

Voting Process: The voter enters the polling place and receives a ballot, which is then secured to the Inkavote machine with a series of clips. To vote, the card is placed in a marking device, which has a ballot voting booklet and template guide showing the location to mark a vote for each candidate in each contest. A special marking pen is used to mark the voter’s choices. Voters who mark their ballots manually or with the ballot booklet template may also use the PBC unit to check the ballots for overvotes and blank ballots. If an overvoted or blank ballot is detected, the system returns the ballot to the voter, giving the voter an opportunity to remake the ballot. Although the PBC unit is capable of tallying the ballots and producing a machine report of the results when the polls close, some jurisdictions, including the City and County of Los Angeles only use the system for the audio ballot and error checking functions, without using the ballot tally and reporting functions.

A demonstration video from Jackson County MO:

 A Pollworker Instruction Video

Security Concerns:

In the area of cryptography and key management, multiple potential and actual vulnerabilities were identified in the InkaVotePlus, including inappropriate use of symmetric cryptography for authenticity checking, use of a very weak homebrewed cipher for the master key algorithm, and key generation with artificially low entropy which facilitates brute force attacks. In addition, the code and comments indicated that a hash (checksum) method that is suitable only for detecting accidental corruption is used inappropriately with the claimed intent of detecting malicious tampering. 106 instances were identified of SQL statements embedded in the code with no evidence of sanitation of the data before it is added to the SQL statement. It is considered a bad practice to build the SQL statements at runtime; the preferred method is to use predefined SQL statements using bound variables.2

In the physical security testing, the wire and tamper proof paper seals were easily removed without damage to the seals using simple household chemicals and tools and could be replaced without detection. The tamper proof paper seals were designed to show evidence of removal and did so if simply peeled off but simple household solvents could be used to remove the seal unharmed to be replaced later with no evidence that it had been removed. Once the seals are bypassed, simple tools or easy modifications to simple tools could be used to access the computer and its components. The key lock for the Transfer Device was unlocked using a common office item without the special ‘key’ and the seal removed. The USB port may then be used to attach a USB memory device which can be used in as part of other attacks to gain control of the system. The keyboard connector for the Audio Ballot unit was used to attach a standard keyboard which was then used to get access to the operating system without reopening the computer. The seal used to secure the PBC head to the ballot box provided some protection but the InkaVote Plus Manual provides instructions for installing the seal that, if followed, will allow the seal to be opened without breaking it. However, even if the seals are attached correctly, there was enough play and movement in the housing that it was possible to lift the PBC head unit out of the way and insert or remove ballots (removal was more difficult but possible).3

References

InkaVote Procedures, Los Angeles County CA, 2010

InkaVote Plus Voting System Access Review, Noel Runyan and Jim Tobias, for the California Secretary of State’s Top-to-Bottom Review, 2007)

InkaVote Plus Source Code Review, California Secretary of State’s Top-to-Bottom Review, 2007

InkaVote Plus Red Team Security Penetration Test, California Secretary of State’s Top-to-Bottom Review (2007)


Hart Intercivic


Ballot Now

Ballot Now is Hart Intercivic’s software for printing paper ballots on-demand and scanning in and resolving batches of voted paper ballots. The Ballot Now system is most often used for tabulating absentee ballots, though in some central count jurisdictions is is used to tabulate polling place ballots cast by voters in ballot boxes. Ballot Now, like other applications in the Hart EMS suite of software, runs on a Windows 2000 Professional machine. It works with a variety of third-party scanners, for example the Fujitsu M4099D and Kodak i830 pictured above. Ballot Now can be run on a stand-alone machine or in a networked, client/server configuration. Users must configure network certificates to run Ballot Now in a networked configuration. If run in networked configuration, the eCM must be present on the Ballot Now server. If run in standalone configuration, the eCM must be present on the standalone Ballot Now machine.

After defining an election database in BOSS, Ballot Now initializes an election MBB and creates a Ballot Now election database (stored in a unique folder for that election, in the file “ballotNow.db”). Ballot Now’s central features are (1) to print sample, test, and election ballots, either for third-party printing or on demand; and (2) to scan paper ballots (using the “Ballot Now Image Processor”, or BNIP); and (3) resolve undervoted, overvoted, and/or write-in contests. Results from scanned and resolved ballots are written to an election MBB, and after processing is done, the Ballot Now user closes the MBB using a “close MBB” function in the software. Ballot Now produces several types of audit logs—the Election Database Audit Log; the Security Database Audit Log; the Filtered Election Database Audit Log; and the Filtered Security Database Audit Log.

Hart BallotPolling Place Voting Process for the Hart Ballot Now System

1. Receive your ballot from a poll worker and proceed to your voting booth.

2. Using a blue or black pen fill in the box to the left of your choice completely as shown on the right.

3. To vote for a write-in candidate, fill in the box completely next to the words “Write-In” and write the candidate’s name on the line provided. Do not mark more choices than allowed.

4. If you make a mistake, ask an election officer for a new ballot. (The old ballot will be voided.)

5. Deposit your ballot in the ballot box.

IMPORTANT

Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

References

California Top to Bottom (T2B) Review (2007)
Hart Intercivic Source Code Review
Hart Intercivic Penetration Test Report
Hart Intercivic Documentation Review

Ohio EVEREST Review (2007)
Hart Intercivic Executive Summary
Hart Intercivic Technical Manager Report
Hart Intercivic Technical Details Report
Final Full Report
Final Technical Report

An Analysis of the Hart Intercivic DAU eSlate, USENIX,2007


Verity Scan, Verity Touch Writer and Verity Central

Verity_650_315The Verity Scan is a digital scan ballot tabulator that is used in conjunction with an external ballot box. The unit is designed to scan marked paper ballots, interpret and record voter marks on the paper ballot and deposit the ballots into the secure ballot box. Verity 1.0 allows for entering write-in candidates on the fly or selecting from a list of certified write-ins. Additionally, write-ins do not have to be processed prior to tabulation. In the event that the county determines write-ins need to be processed individually, they can be processed in the tabulation system.

Touch_Writer_300_225The Verity Touch Writer is a standalone precinct level Ballot Marker Device which also includes an Audio Tactile Interface (ATI), which allows voters who cannot complete a paper ballot to generate a machine-readable and human readable ballot, based on vote selections made, using the ATI. Once the voter has completed voting, their ballot is printed onto regular ballot paper and following the county’s ballot processing procedures would be incorporated in the canvassing process.

Verity Central is a high-speed, central digital ballot scanning system used for high volume processing of ballots (such as vote by mail). The unit is based on COTS scanning hardware coupled with the custom Hart developed ballot processing application software.  Verity Central allows for ballots to be scanned in bulk for users to review during scanning and through resolution for voter intent. Each ballot has the front and back pages scanned simultaneously to capture all voter marks, supporting duplex ballots. Users with proper training can review the ballots for write-ins and ballots flagged as having voter intent issues (such as overvotes, undervotes, and write-in candidates). Once all votes have been reviewed as indicated by flagging, the ballots are then written as Cast Vote Records (CVRs) to vDrives. The final CVR records on Verity vDrives are then sent to a Verity Count workstation for official tabulation.

Presentation of the Verity Voting System prepared by Hart for the State of Colorado:

Overview of Verity Central Ballot Scanning:

References
Verity Voting 1.0 Test Report for the State of Colorado (2015)
Report of the Secretary of State of Washington on the Examination of the Verity 1.0 Voting System (2015)
EAC Certification Test Report for Verity 1.0 (2015)

[/private]


Verity Touch and Touch with Access

The Verity Touch is a direct recording electronic voting device included in Hart Intercivic’s Verity 2.0 voting system. The Verity Access component (pictured below) adds tactile buttons, audio ballots and compatibility with common adaptive devices.

The Verity Touch Writer is a standalone precinct level Ballot Marker Device which also includes an Audio Tactile Interface (ATI), which allows voters who cannot complete a paper ballot to generate a machine-readable and human readable ballot, based on vote selections made, using the ATI. Once the voter has completed voting, their ballot is printed onto regular ballot paper and following the county’s ballot processing procedures would be incorporated in the canvassing process.

Verity Central is a high-speed, central digital ballot scanning system used for high volume processing of ballots (such as vote by mail). The unit is based on COTS scanning hardware coupled with the custom Hart developed ballot processing application software.  Verity Central allows for ballots to be scanned in bulk for users to review during scanning and through resolution for voter intent. Each ballot has the front and back pages scanned simultaneously to capture all voter marks, supporting duplex ballots. Users with proper training can review the ballots for write-ins and ballots flagged as having voter intent issues (such as overvotes, undervotes, and write-in candidates). Once all votes have been reviewed as indicated by flagging, the ballots are then written as Cast Vote Records (CVRs) to vDrives. The final CVR records on Verity vDrives are then sent to a Verity Count workstation for official tabulation.

Presentation of the Verity Voting System prepared by Hart for the State of Colorado:

Overview of Verity Central Ballot Scanning:

References
EAC Certification Test Report for Verity 2.0 (2016)
Texas Certification Reports Verity 2.0 (2016)
[/private]


eSlate

The Hart InterCivic eSlate is a direct recording electronic voting system where the voter turns a Select Wheel and pushes a button to indicate her preferences. The eSlate is connected via cable to the Judge’s Booth Controller (JBC; image above) which provides vote activation and vote storage for up to twelve eSlates. A poll worker issues a four digit, randomly generated Access Code to the voter using the JBC. The voter enters the Access Code on the eSlate and votes using the select Wheel and Buttons. Once the ballot is cast, the votes are stored in redundant and physically separate areas of the eSlate System, including the eSlate, JBC and flash memory. The votes are transmitted via a cable to the JBC, and are stored on the JBC and on a flash memory card (Mobile Ballot Box or MBB) inside the JBC. Then the MBB is physically transported to election headquarters for tabulation.

The eSlate consists of a screen and below it a wheel and 5 buttons. The voter highlights choices by turning the wheel until the proper area of the screen is marked. The wheel may be rotated to highlight individual contests or options. The SELECT button is used to select or de-select the voter’s choices. The PREV and NEXT arrow buttons move the voter backward and forward through available pages, respectively. The HELP button provides on-screen assistance or summons a poll worker to help the voter. The CAST BALLOT button advances the voter to/through the vote review and acceptance steps and finalizes the voter’s selection data to cast the voter’s ballot.

The eSlate can also be adapted to run in an accessible mode, called a DAU. The eSlate DAU has the eSlate functionality, but with different hardware inputs and a PCMCIA card storing locally recorded ballot information for audio output. The eSlate can take input from jelly switches or a sip-and-puff device. An audio recording of a human reading of the ballot is stored on the DAU audio card as part of the ballot creation process; the system does not use a speech synthesizer.

To the right of the eSlate are directions for using the equipment. Above the printer and eSlate is a compartment that runs the width of the voting booth. Note that the eSlate is not a touch screen voting system; the voter uses the wheel and buttons only. Up to 12 eSlates can be daisy-chained together. In the top compartment is a cable that runs from the eSlate to the next eSlate in the daisy chain. Otherwise (or if this eSlate is the last one in the chain) the cable can be stored in the compartment. Above the compartment, on the lid of the voting booth, is a Nylon fabric privacy screen. When set up for use, the privacy screen is unfolded to obstruct the view of the voter voting, giving the voter privacy.1 

Hart eSlate ScreenVoting Process: When a voter enters the polling place, she registers as usual with a poll worker and signs her name into the poll book. If she wants to use the eSlate, a poll worker selects ”Add Voter” from the JBC’s main menu. The JBC produces a 4-digit access code, and the poll worker prints this access code for the voter on a small printout (looking like a traditional register receipt) with the date, time, location, precinct, and access code. The voter then goes to the eSlate, and ducks under a privacy screen that shields her actions from others’ views. The eSlate greets her with a welcome screen providing some basic instructions on how to operate the device. At this point, she has the option to navigate the eSlate using the wheel and buttons on the face of the device or to use an alternate input device. The eSlate is pre-equipped with two large buttons, called jelly switches, as an accessibility aid to those whose tactile skills do not lend easily to operating the eSlate with the embedded buttons. The jack into which these tactile inputs are plugged is a standard 3.5mm jack, allowing those who prefer to provide their own input device (such as a sip/puff device) to do so. Also available to the voter are a pair of standard headphones, or the option to plug in her own headphones, through which all operations on the eSlate will be narrated. This allows a voter with vision impairments to navigate the eSlate without assistance from a third party. The narration is given even if headphones are not used, but in that case the voter cannot hear the narration.

Once the voter has selected the input and feedback options best suited for her use of the eSlate, she is prompted to enter the access code she received from the poll worker. The eSlate verifies that the code is authorizedby communicating with the attached JBC. After her access code has been verified, eSlate displays the first page of the ballot. The voter can navigate through the ballot at her own speed by manipulating the wheel and buttons, or an assistive device. Once the voter has filled out the ballot to her satisfaction, she advances to the first ballot verification screen. If she makes a selection for every option on the ballot, she will be automatically advanced to this screen; she can, however, hit the ”Cast Ballot” button to manually advance herself to cast a ballot with fewer selections.

The eSlate then displays the first ballot verification screen, called the Ballot Summary Page. A two-column table presents every ballot option and the voter’s selection for that option, including a listing of ”No Selection” where applicable, in the order in which the options appeared on the ballot. If the voter is using the headphones, the eSlate will read the ballot to the voter. She can choose to make changes to selected options, in which case the eSlate returns her to the ballot to change her selections. Or, she can choose to accept the ballot as is. In this case, she advances to a second verification screen. At this point, the contents of the ballot selections are printed on the VBO printer, which is situated directly next to the eSlate screen. The voter is encouraged to verify her selections both on the screen and on the paper ballot. A visually impaired voter will be unable to verify the printout, but the eSlate will again read the ballot selections over the audio channel for her verification. If she wants to change something, she can reject the ballot at this point. In this case, the eSlate has the VBO print ”BALLOT REJECTED” on the paper ballot, and a barcode indicating that the voter rejected the set of ballot selections immediately preceding. The eSlate then returns the voter to the original ballot to change her selections. The voter may reject two printed ballots. After that, by law, the voter must accept the third printed ballot.

Hart_VBOChecking the Voter-Verifiable Paper Trail: Some jurisdictions used Hart Intercivic eSlate DRE-Dial voting machines equipped a voter-verifiable paper trail called the Verified Ballot Option (VBO). The VBO printer is a reel-to-reel, cash-register style of printer. The VBO printout is found to the left of the display screen under glass. If the eSlate you are voting on is equipped with a VBO printer be sure to verify that your vote has been recorded correctly before casting your ballot.

After the voter reviews a ballot on the printout, accepting the ballot advances the paper to  ensure that the last voter’s choices are not visible to the next voter. Canceling the ballot or changing the contents prints a voided status notice below the ballot. After the voter has changed her ballot and selected “cast ballot”, another ballot is printed for review and  a barcode is written with the message “ballot accepted”. If the voter cancels their ballot more than the maximum number of permitted cancellations, the system forces the last ballot and VVPAT to be recorded. VVPATs that span multiple pages require the voter to inspect each page before scrolling to reveal subsequent pages. The VBO prints both human-readable text and machine-readable barcode. The barcode is a standard two-dimensional barcode that encodes the contents of the VVPAT and basic information about the election in which the vote was cast and the machine on which the ballot was cast. The Hart VVPAT can be configured with a serial number (called a “Ballot Key”) in order to detect duplicate ballots.2

When the voter accepts the ballot, the VBO prints ”BALLOT ACCEPTED” and a barcode directly below the human-readable printout of the voter’s selections. This barcode contains a machine-readable encoding of the ballot selections. The VBO then immediately spools the printed ballot out of sight so that the next voter cannot see it. Ballot acceptance also triggers a communication from the eSlate to the JBC to store the ballot contents. The vote is stored electronically on internal eSlate memory, internal JBC memory, and on a memory card known as the MBB (Mobile Ballot Box). The MBB is the primary record of the votes cast on an eSlate, and the data on the MBB is used to generate the results tabulated at the end of an election. At this point, the eSlate shows a blue screen that thanks the voter for voting, and displays a waving American flag. The voter instructions state that a voter knows her vote has been cast when she sees this flag. If she has been using the auditory feedback, she will hear a similar message through the headphones and will know that her voting process is complete.

A Voting Demon for the eSlate without VVPAT Printer:

 A Voting Demo for the eSlate with a VVPAT Printer:

Security Concerns

Security Seals Ideally, the eSlate’s and JBC’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Cables Must Be Secured The eSlate system is daisy-chained system where the JBC controls multiple eSlate terminals. The places where the first cable connects to the JBC as well as the area on the top of each eSlate where two of these cables connect are particularly sensitive. The last eSlate on the “daisy-chain” – likely the eSlate farthest from the JBC – is especially sensitive as it will have one cable coming from another eSlate, but will also have an exposed serial cable port. A malicious party could connect their own cable or device to this exposed port and essentially take control of the election, the software in the eSlate and JBC as well as vote data stored locally on each eSlate and remotely on the JBC. Ideally, this last exposed serial port will be covered or otherwise disabled. Jurisdiction should use security seals or protected serial cables that cannot be easily disconnected by voters (granted, this might make them difficult for poll workers to connect and disconnect).

VBO is Sensitive and Sealed The VBO, Hart’s VVPAT subsystem, is a sealed unit that stores official vote data. The unit should not be opened or serviced except infrequently under monitored and controlled circumstances so that all security seals are logged and reapplied. The entire VBO unit should be replaced when an error or jam occurs. The VBO, if jostled out of its place, can be made to interrupt or duplicate printing.

JBC and JBC Ports are Sensitive The JBC controller and the ports on the back of the JBC are sensitive. With access to the JBC, access codes can be printed out to allow duplicate voting. The ports on the back of the JBC should be covered or otherwise disabled. With access to these ports, a malicious party could take control of the election, activate arbitrary numbers of voter Access Codes, cast votes, erase votes and other things. Access to the JBC and to the area in the back of the JBC control panel where these ports reside should be monitored and controlled at all times.

MBB Memory Card is Sensitive Corrupt MBB cards can introduce viruses, cause the main election server to crash and falsify votes. Access to the MBB memory card should be controlled, monitored and logged at all times.

Background3

In 1997, Neil McClure and Kermit Lohry led a patent application for a new networked voting machine. In conception, the network-based aspects of the machine were not very different from the Fidlar ES 2000, but it was a full-face push-button machine. Initially, the developers founded their own company, Worldwide Election Systems, to market the machine they named The Elector. When it came time to market their system, they needed a partner. Hart Information Services, an established Texas ballot printer, bought several small election companies in the late 1990s, including Worldwide, before reorganizing as Hart Intercivic.

With support from Hart, McClure and his associates redesigned their system using a at-panel display, producing the machine they dubbed the eSlate. The eSlate saw successful use in the 2000 presidential election in Tarrant County, Texas and several other counties. It attracted significant attention with its features supporting the needs of voters with disabilities. [918] A few months later, the inventors applied for a patent for the eSlate.

References

California Top to Bottom (T2B) Review (2007)
Hart Intercivic Source Code Review
Hart Intercivic Penetration Test Report
Hart Intercivic Documentation Review

Ohio EVEREST Review (2007)
Hart Intercivic Executive Summary
Hart Intercivic Technical Manager Report
Hart Intercivic Technical Details Report
Final Full Report
Final Technical Report

An Analysis of the Hart Intercivic DAU eSlate, USENIX,2007


eScan

The Hart Intercivic eScan is a precinct-based, digital ballot scanning system. After marking a paper ballot, the voter feeds it directly into the eScan at the precinct. The ballot image is stored as a Cast Vote Record (CVR) on a flash memory card that can be retrieved and tabulated when the polls close. eScan’s capabilities include functionality to reject overvoted, undervoted and blank ballots, thereby providing second-chance voting at the precinct.

The eScan is a dedicated proprietary piece of hardware, with a built-in automatic feed scanner, a thermal line printer, local flash memory, and two secure compartments for ballot storage. The eScan is intended to be used only with ballots printed in advance on paper of a specified weight and dimension. Voters or pollworkers feed the ballots into the eScan one at a time. The eScan scans the ballots, creates a CVR from the ballot (including images of any written-in candidates), and stores the paper ballot in one of the two ballot storage bins (a scanner bin and a bin for use in emergencies that has an access slot). The CVR is written to a Mobile Ballot Box (MBB).

The two ballot storage bins are each sealed with a Hart security seal at election headquarters, and the emergency ballot slot is opened to allow depositing of paper ballots during emergencies (such as power failures) without disturbing the security seal on the ballot bin door. Jurisdictions can choose to seal the MBB into its compartment before delivery of the equipment to the polling place; alternatively, they can deliver MBBs to polling places on election day morning and seal them then. EScan options are defined in a Ballot Origination Software System (BOSS) when the election is defined. The eScan unit itself maintains audit logs that include system startup and shutdown information, CVRs written and other events like ballot rejection overrides. The eScan units are configured by SERVO, which resets the time, public counter, CVRs, signing key, and audit log. SERVO also optionally resets MBBs in the eScan to clear the CVRs and audit logs. SERVO can also back up CVRs and audit logs from the eScan, and create a Recovery MBB from those records.

Hart Intercivic eScan ATThe Hart InterCivic eScan A/T voting device is equipped with an audio tactile interface (ATI) that enables a voter with disabilities to listen to instructions for using the ATI controllers and an audio version of the ballot, to make selections for each race or question on the ballot, to review all selections and make changes if necessary, and finally to cast the ballot privately and independently.  The voter’s ballot selections are recorded electronically in the device’s memory and included in the results for the precinct.  No record exists to tie an individual voter to a specific ATI ballot.  Voters who use “sip and puff” or tactile input switches may plug their own assistive devices into the ATI controller and use them to operate it. While a voter is using the ATI device, other voters may continue voting and may insert their paper ballots into the eScan A/T at any time. The eScan A/T will be used statewide in Oklahoma in 2012.

 

Hart BallotVoting Process:

1. Receive your ballot from a poll worker and proceed to your voting booth.

2. Using a blue or black pen fill in the box to the left of your choice completely as shown on the right. To vote for a write-in candidate, fill in the box completely next to the words “Write-In” and write the candidate’s name on the line provided. Do not mark more choices than allowed. If you make a mistake, ask an election officer for a new ballot. (The old ballot will be voided.)

2. When you finish marking your ballot take it to the eScan. If the eScan displays the “Ready to Scan message, insert your ballot into the ballot feed slot. The eScan will scan ballots inserted in any orientation and reads both sides of a double-sided ballot at the same time.

3. The “Scanning Ballot” screen displays as the eScan reads the ballot. Watch and wait for any voter instruction messages. If the ballot is properly marked, the eScan accepts the ballot and displays a waving American flag to indicate that the ballot has been recorded. If the ballot is not properly marked, the eScan will display Voter Instruction messages.

A Voting Demo for the eScan from Nevada County CA:

 A Pollworker Video from Nevada County CA:

Security Concerns1

Unsecured network interfaces Network interfaces in the Hart system are not secured against direct attack. Poll workers can connect to JBCs
or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more units in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs
in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.

Vulnerability to malicious inputs Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to confirm it in an end-to-end test.

No or insecure use of cryptography The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we iound a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.

Failure to protect ballot secrecy Hart’s system fails to adequately protect ballot secrecy. A poll worker or election official with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted.

References

California Top to Bottom (T2B) Review (2007)
Hart Intercivic Source Code Review
Hart Intercivic Penetration Test Report
Hart Intercivic Documentation Review

Ohio EVEREST Review (2007)
Hart Intercivic Executive Summary
Hart Intercivic Technical Manager Report
Hart Intercivic Technical Details Report
Final Full Report
Final Technical Report

An Analysis of the Hart Intercivic DAU eSlate, USENIX,2007


IVS LLC


Inspire

The Inspire voting system designed and marketed by IVS, LLC is a telephone based assistive device used in configuration with an optical scan voting system. Voters listen to the ballot through headphones and make their selections on a touchtone telephone-style keypad using the Inspire voting system. Selections are printed on a paper ballot, which the individual voter can read and review. Blind voters can review their selections using the printed ballot by scanning the barcode on each paper ballot, they can listen to their selections being read back to them in the headphones. Paper ballots also contain human readable characters of voters’ selections, so ballots can be manually counted and used for a recount if necessary.

The resulting ballots are either printed at a secure central location (Central Print) or via a fax at the polling site (Fax Print) depending on the configuration employed. With the Central Print option, ballots are printed at a secure central location with a cover page in order to protect voter privacy.Ballots are printed with a machine-readable bar code that is read by the system and the ballot is read back to the voter prior to their vote being cast. With the Fax Print option, the paper ballot is printed at the polling site, allowing the voter can then verify their ballot is correct prior to casting it in the ballot box.

The Inspire system also allows any voter to practice navigating the ballot before Election Day from home using a telephone. The Preview and Practice feature allows voters to call a toll-free number, enter an access code and navigate through the entire ballot as if they were voting on an Inspire machine, allowing voters to become familiar with candidates, contests and amendments on the actual ballot before Election Day.

IVS Inspire Ballot Marking Device

ivs_inspire_bmd

In November 2016 the State of Connecticut deployed the IVS Inspire Ballot Marking System for the first time. The Ballot Marking System uses the same software and assistive features as the Inspire Vote-By-Phone system but rather than working through telephone lines the system interfaces directly with a Brother printer to print a marked ballot, which is scanned along with other ballots in the polling place.

The Ballot Marking System includes a tablet and a keypad with headphones and voters may use the touch screen on the tablet, or by using the connected audio system on the keypad. The audio system, which includes headphones, works by a series of cues requiring voters to push different buttons on the telephone-style keypad to make choices for each office. Both the touchscreen and the audio provide voters with the opportunity to review and revise their choices.


Microvote General Corporation


ACP

The Model ACP-2200 Optical Mark Reader is a central count dual sided scanner manufactured by Chatsworth Data Corporation and used in configuration with MicroVote election management software to tabulate absentee ballots in jurisdictions using MicroVote’s Infinity or MV-464 DREs. The ACP (Accessible Card Path) design allows access to the card path and optic lens for clearing obstructions and performing preventative maintenance on the unit. After the ballot has been scanned, the resulting data string is terminated by a carriage return (CR) and is automatically transported to the communication port of the attached computer. RS-232C Serial communications is standard on the APC-2200.

The ACP-2200 utilizes “Visible Red” illumination reads black or blue marks made with a ballpoint pen or felt-tip pen as well as standard pencil marks. Background printing must be in the visible red range. “Infra Red” illumination is available as an option for pencil only marking with colored background printing. MicroVote voting systems are also used in configuration with predecessor to the ACP 2200, the OMR 9002 dual sided scanner. The ACP 2200 scanner is included in MicroVote’s v.4.0B EAC certification.

Voting Process

Ballots compatible with the Chatsworth scanners resemble punchcard ballots. Candidates names do not appear on the ballot ut are referenced by numbers on an addtional page provided to voters. Voters should use  black or blue felt tip or ballpoint pen or a standard #2 pencil to make their selections. The voter should completely fill in the oval to the right of the the number corresponding to their selected candidate.

To select a write-in candidate, the must fill in the oval to the right of the number that corresponds to “Write In” for the office for which they want to write in a candidates name. The voter must then write the candidate’s name on the reverse side of the ballot.

Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

Ballot Reading Issues

During the initial EAC certification process MircoVote’s v.4.0 voting system separate accuracy test was conducted for the central count ACP2200 OMR scanner. As the ACP2200 OMR is consumer off the shelf (COTS) hardware it was exempted from the Temperature and Power Variations Test (v.2 section 1.7.1.1) the Accuracy and Reliability testing was conducted at ambient office temperature. The test variables included a maximum size ballot card (402 ovals) with 11 contests and 35 candidates per contest (385 Ballot Positions per Ballot). A total of 4026 ballots were supplied by MicroVote. These had been marked by hand in pencil. Ballots were inserted two times in different orientations. The test was executed three times. The initial test was halted due to a failure to record scanned cards into the EMS. A new version of the EMS software was submitted and after resolution of the issue was validated, a second test was halted upon multiple random ballot misreads occurred.

The ACP2200 OMR hardware was returned to the Chatsworth for diagnosis. No problems were identified except for a bent pin. The scanner was returned to the testing lab with two additional scanners. The ballot batch that had been identified as problematic was scanned on all three units. All three reported random misreads. The problem ballot batch was forwarded to MicroVote. The result of this examination was for MicroVote to retest and revise their specification for ballot marking devices. New ballots were tendered by MicroVote which complied with the specification for black ink. The testing lab marked 10% of the cards with BIC 0.7mm #2 lead pencils and all ballots were successfully read.

References

MicroVote General Corporation Election Management System (EMS) Voting System v. 4.0.0 VSTL Certification Test Plan, Election Assistance Commission, 2009

Certificate of Conformance MicroVote EMS 4.0B (Modification), Election Assistance Commission, 2010


Infinity

The Microvote Infinity is a direct-recording electronic (DRE) voting machine with a push button interface. The Infinity Voting Panel consists of a monochrome LCD display, with selection buttons for 32 locations. In voting mode the display is organized as a two-column ballot with 15 selection locations (buttons) on each side of the display. A 16th location button, at the bottom of each column, is used for backwards and forward page navigation. After a voter has completed and reviewed all selections, they submit their  vote by selecting the “Cast Vote” button. Lights associated with this button identify when it is active. Capabilities include the system security, system readiness, poll opening, voting, poll closing, report printing and extraction of results.

The Infinity Voting Panel presents a visual ballot on an LCD panel with a text-to-speech voice synthesized audio ballot option. Non-electronic methods, such as mouth sticks, head sticks or the foot are used to provide non-manual vote entry. Voters record a candidate or referendum selection by pushing a button mapped to a selection location. Access to poll worker administrative functions is controlled by smart card insertion (Start and Tally cards) and password entry. Access to a voting session is performed by the poll worker via smart card insertion (Vote and N Vote cards).

The MicroVote EMS voting system consists of the EMS software, a ballot preparation and central count software application developed by MicroVote General Corporation; the Infinity Voting Panel, a DRE polling place device manufactured by Carson Manufacturing with audio ballot capabilities provided by the DoubleTalk, a text-to-speech audio device manufactured by RC Systems; and the Chatsworth ACP2200 OMR scanner, manufactured by Chatsworth Data Corporation. The EMS software Ballot Preparation functionality includes the Installation Database and the Election Database. In order to modify these databases the user selects either the Installation or Election mode.  Election Databases can be created from either mode. The Installation Database contains standard data that is unlikely to change from election-to-election. The Election Database contains data for one specific election. The standard default data is generated by the Installation Database. These standard defaults can be used or overwritten for a specific election in the Election Database.

The EMS software Central Count functionality supports vote capture and tabulation of paper ballots (standard data cards) read by the Chatsworth central count dual sided ACP2200 OMR scanner. This software consolidates and reports Infinity Voting Panel and optical scan election results. Election Summary, Precinct Summary and Audit Log reports can be displayed and printed.

MicroVote InfinityVoting Process: The voter makes each candidate selection by pressing the gray button beside a candidate’s name. An “X” will then appear next to the candidate’s name. If the voter wishes to change her selection, she presses the button next to the candidate’s name a second time, which de-selects the candidate.  The voter navigates through the ballot by pressing a “Next Page” button on the lower right of the display panel, and can review her ballot by pressing a “Previous Page” button on the lower left of the panel. To cast a write-in vote, the voter presses the gray write-in selection button, and then presses the buttons next to the letters in the candidate’s name. When the voter is ready to cast her vote, she presses a red “Cast Vote” button on the right side of the display panel.

If a voter is using a wheelchair or does not believe she will be able to stand at the machine long enough to complete the voting process, the Infinity display panel can detatch, and the voter can hold the panel in her lap.  For voters with vision disabilities, the Infinity has an audio functionality called DoubleTalk. The DoubleTalk module is connected to the Infinity’s communications port before the pollworker inserts the voter card. A voter may bring her own headphones to use, or use the  headphones supplied with the DoubleTalk module. The DoubleTalk module will instruct the voter on how to navigate through her ballot using the same buttons used by all voters.

A Voting Demonstration Video for the MicroVote Infinity can be viewed here.

A Pollworker Training Video for the MicroVote Infinity:

Security Concerns

Security Seals Ideally, the Infinity’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to
maintain chain of custody of sensitive materials.

External Communication Ports The Infinity has exterior communication ports (RJ45, like Ethernet connectors) that may or may not be sensitive. Unfortunately, there has been no publicly disclosed independent evaluation of the Infinity, so it is difficult to say if an attacker could connect to the terminal via these ports. Ideally, these ports would be covered or disabled during voting.

CompactFlash Cards The Infinity uses an 8MB CompactFlash card to store vote data. If this card is easily accessible, it could be a sensitive area of the Infinity. Unfortunately, we are uncertain as to how the CompactFlash card is inserted and removed from the Infinity.

References

Certificate of Conformance MicroVote EMS 4.0B (Modification), Election Assistance Commission, 2010.

Voting System Technical Advisory: Configuration Management Issues with EAC Certified MicroVote EMS 4.0B, Election Assistance Commission, 2010

MicroVote General Corporation Election Management System (EMS) Voting System v. 4.0 VSTL Certification Test Report, Election Assistance Commission, 2009


MV-

The Microvote MV-464 represents an older generation of direct recording electronic voting machines that uses push-buttons adjacent to each ballot item to cast votes, with a light by each button giving positive feedback that the vote has been registered. The ballot issues are printed on a paper ballot label that is protected behind a window between the rows of buttons, and the machine itself opens up and assembles into a voting booth, just as the classic lever machines did – the side privacy panels of the machine in the photo were folded into the lid at the time, in order to allow greater visibility during a demonstration of the machine.

The Microvote machine has only 64 buttons, and many elections would require significantly more than this if the full ballot were to be displayed at once. Microvote has a patented “ballot paging system” that allows a ballot with up to 512 candidates or positions on issues to be divided into 8 pages for presentation. The ballot label is printed on a single scroll, with the pages printed side-by-side, and the machine contains a motor drive that advances the scroll to the left or right as the voter works through the issues on the ballot.

Voting Process: The voter makes each candidate selection by pressing the gray button beside a candidate’s name. This turns a light on next to the button. To change a selection, a voter presses the gray button a second time, and the light turns off. The voter may navigate forward through ballot screens by pressing the green “Advance Ballot”  bar at the bottom of the panel. The voter may navigate back through ballot screens by pressing  the blue “Review Ballot” bar at the bottom of the panel. The voter must view all pages of the  ballot before the machine will allow a vote to be case. To cast a write-in vote, the voter presses the gray write-in selection button on the bottom left  side of the panel. The light next to it will start blinking.  The voter then writes in the desired  name on the paper tape in the write-in window, also at the bottom left of the panel.  The voter  may change his or her mind by pressing the same write-in button again to turn out the light, and  then vote as usual. To cast the ballot, the voter presses the red “Cast Vote” button on the bottom right side of the  panel. The Microvote MV464 is no longer in production.

A Voting Demonstration Video for the MicroVote MV-464:

Background1

In 1985, William Carson of Indianapolis led for a patent on an electronic voting machine built by Carson Manufacturing Company and marketed by a new company, Microvote General Corporation of Carmel, Indiana. Carson’s MV-464 voting machine featured a display window with a row of 32 push buttons on each side. The ballot displayed on the window was printed on paper. For small elections involving fewer than 64 candidates, a single page behind the window would have sufficed. But because general elections are frequently quite complex, the paper was mounted on rollers, one under each column of push buttons, so that the paper could be scrolled from side to side to display successive pages of ballot issues.

Most previous direct-recording voting systems shared a common weakness: The vote total for each candidate was stored in just one place, either a mechanical counter or a memory location in a computer. Any failure in that storage mechanism meant that the corresponding vote record would be lost. The MV-464 addressed this weakness by storing vote records redundantly, one copy in an electronic record, and another copy printed on a roll of adding-machine tape inside the machine. In the event of any question about the integrity of the electronic records in the machine, the paper record could be recounted by hand.

Carson was aware of the threat to voter privacy resulting from printing votes sequentially, so he randomized somewhat the order of printing. The machine did not print any vote records until 4 records had been accumulated. From this point on, each time a voter used the machine, it printed one of the 4 records in its memory, selected at random.” The exact mechanism used for randomization was not disclosed, but even weak randomization oers greater ballot secrecy than simple sequential recording. The price for the randomization was that in the event of a failure in the electronics, the last 4 votes cast would be lost.


Populex


PopulexSlate

The PopulexSlate can be configured to serve multiple roles at the same time. For example, it can be configured to be both a Judge’s Check-In Station and a Ballot Counting Station, or it can be configured to be both a Voting Station and Personal Verification Station. The PopulexSlate also provides redundancy at the polls because its role can be changed at any time, should another PopulexSlate fail in the polling place on Election Day.

The PopulexSlate features include: a smart-card slot to insert and read (or program) the smart-card voter election keys; a printer slot to insert a blank ballot, with a matching slot where a printed ballot is ejected from the PopulexSlate device; a touch-screen interface for the voter or poll worker to interact with the PopulexSlate device. This touch screen will only accept user input using a special stylus attached to the PopulexSlate. It will not react to human touch, or the touch of other objects such as a pen; ƒ a standard numeric keypad that can be used for straight numeric input, such as the PopulexSlate password, or for ballot navigation in audioballot mode; and a hand-held barcode scanner to read the barcodes on the Populex ballots.

<p>PopulexSlate Server Interface</p>

The internal components and software of the PopulexSlate are all COTS products: ballot and report printing are performed by the Lexmark Z605 (or Z615) inkjet printer housed inside the PopulexSlate, the core of the PopulexSlate is a Compaq TC1100 tablet PC, which serves as the central processing unit of the PopulexSlate, as well as the touchscreen interface with which the users interact. The TC1100 is a fully functioning personal computer, featuring a removable 20 Mb hard drive, as well as USB, infrared and Ethernet ports. The TC1100 includes a built-in wireless network interface, although the vendor states that the units are manufactured and shipped with this interface disabled. The PC is attached to the PopulexSlate chassis and held in position by Velcro. The PopulexSlate’s TC1100 runs on a version of the Microsoft Windows XP Tablet PC edition operating system. The PopulexSlate’s application software, Polling Place Functions (PPF), runs as a shell if the user logs onto the operating system using the standard operator password. This shell is reasonably restrictive and appears to confine the user to the PPF application, unless the user shuts down and restarts the TC1100. The alternate administrative password provides full access to the TC1100 PC, including: Full read/write access to the hard drive, with sufficient permissions to install executable files; full access to the Windows control access, including permission to modify & reset passwords; and Administrative access to enable or disable operating system services.

Populex Ballot with Barcode

Voting Process: Once a new voter has been verified as eligible to vote, a poll worker programs an  Election Key (smart card) for the voter on a Judge’s Check-In Station. This key  contains the ballot style and party information for that voter, as well as the accessibility support required for the voter. The voter is given the Election Key and a blank ballot. The voter then inserts the Election Key into a Voting Station to activate the station and vote his or her ballot. The voter marks their selections on the PopulexSlate touchscreen using the pen provided. When the voter is done, the ballot is printed with the voter’s vote choices. The PopulexSlate’s interface prevents over-voting and provides warning for under-voting.

The PopulexSlate provides an audio ballot mode for accessibility. The voter may take the ballot to a verification station and scan the bar code on the ballot to have the ballot’s vote choices displayed or read back to the voter. Alternatively, the voter may verify the ballot by looking up the plain text “punch codes” on the ballot against a print-out that translates those punch codes to actual candidate names and ballot measure choices.

Once the voter is satisfied that the ballot accurately reflect his or her vote choices, the voter can go to a Ballot Counting Station and scan the ballot before dropping it into the ballot box. Alternatively, the ballot can simply be deposited into a ballot box for later tabulation.

Security Concerns

The PopulexSlate’s housing or cover is a heavy-duty molded plastic. There is no built-in physical lock to secure the housing. Instead, the housing is secured by a small metal tab on the chassis that extends through a slot in the cover. This metal tab has a small hole through which a small lock (such as a luggage lock) or a tamper-evident seal can be placed. While this mechanism appears insufficient and fairly easy to circumnavigate to access the internal components of the PopulexSlate, it may be sufficient to make such unauthorized access detectable. Further, the design of most modern voting equipment provides differentiated levels of physical access. For instance, memory ports or poll worker controls can be accessed through separate locked access doors, without providing full physical access to the rest of the hardware components. With the Populex PopulexSlate, no such differentiation on physical access is provided – it is all or nothing. The cover must be fully opened for maintenance tasks such as installing the election definition and programming, replacing the printer ink cartridge, or resetting the printer paper guides, exposing every internal component of the device.

From the California Secretary of State’s Staff Review of the Populex Voting System (2006): All ballot styles are available on the Judge’s Check-In Station for creating  Election Keys, thereby increasing risk of incorrect ballot style assignment to a voter. As noted previously, the PopulexSlate is always programmed with the entire election definition and all ballot styles. Unlike most voting systems, the PopulexSlate cannot be locked down to a specific set of ballot styles for the assigned precinct. Because the poll worker must identify the precinct/ballot style for each voter Election Key, there is a significant risk of choosing the wrong ballot style.

Manual, visual verification of the ballot is complex. Some voters may not trust the PopulexSlate verification system, since it is essentially the same system that recorded their vote choices and printed the ballot. The clear text printed portion of the ballot only lists “punch numbers”. A separate printed reference is necessary to translate these numbers into contests, candidates and ballot measure choices. While the Populex EMS application does feature a “punch number report” for cross-references, the vendor acknowledges that the report is not in a voter-friendly format.. It is incumbent on the jurisdiction to reformat and print this data in a manner that is usable by the voter. Although the vendor suggests that this cross-reference information should be posted in the voting booth, it is questionable whether there is enough room to accommodate all the various lists that would be required, particularly in a primary election with multiple political parties and in polling places that integrate multiple precincts.

The Populex touch screen cannot be blanked for blind voters to protect their votes from being observed. Unlike many voting systems, the PopulexSlate does not provide the blind voter with the option to blank the display screen. Consequently, it is possible for someone to observe the blind voter’s ballot choices unbeknownst to the voter.

Nothing prevents a voter or poll worker from double-tabulating a Populex ballot. As originally designed, each Populex ballot in this voting system contained a unique ballot identification number to prevent a ballot from being scanned and counted multiple times. The State of California has determined that the unique ballot identification number is prohibited by State law, and the vendor has subsequently removed that number from the ballot for the California version of the system. Unfortunately, that puts this voting system at risk for accidental or intentional mis-tabulation of the vote results. Most voting systems prevent double scanning of ballots (or at least make it extremely difficult to do so), by physically capturing custody of the ballot as it is scanned. In the system configuration where the voters scan their ballots throughout Election Day, the voter must hold the ballot under a bar code scanner and then manually drop the ballot into a ballot box. Nothing prevents the voter (or a poll worker) from scanning a ballot more than once. While basic ballot accounting can inhibit this, such accounting would be fairly simple to circumnavigate. For example, a poll worker could double-scan a ballot that contains the punch code of a particular candidate and then, later, drop an adverse ballot into the ballot box without scanning to keep the ballots cast counts balanced. For this reason, tabulation must not be done by voters and poll workers throughout the day.

The Populex system provides no electronic support for provisional ballots. If such ballots are cast on the PopulexSlate, they must be physically segregated and processed in the same traditional manner as provisional ballots in other paper ballot systems. Alternatively, the jurisdiction may want to use their existing absentee ballot system for provisional voting.1


Premier/Diebold


AccuVote OS Central Count

The AccuVote-OS (also known as the AV-OS) is the same hardware scanner that is used for the precinct count optical scanning but it has a different embedded software (“firmware”) installed. Its configuration allows it to be linked with a number of other AV-OS units via a network whereby voting data can be sent into the GEMS server from many scanners concurrently scanning ballot batches. Firmware version 2.0.12 designates the machine is configured for ‘central count” as opposed to “precinct count.” Central count AV-OS is often used to count absentee ballots as well as provisional and damaged but “remade” paper ballots at county election headquarters or another centralized location. Premier/Diebold also markets a smaller unit (left) that provides high-speed scanning capability.

Unlike the precinct count AV-OS, the AV-OS central count units’ operation is largely controlled by GEMS. While the units scan ballots and interpret the ballot marks, the AV-OS central count uploads the voting data to GEMS and does not tabulate or keep any record of votes on the unit. The central count AV-OS memory card needs no ballot definitions and only has some technical information regarding the particular scanner so that it can be individually tracked as it scans ballots. It can be used with or without an automatic ballot feeder called the AccuFeed.

AccuVote OS Central Count Voting Instructions

1. After you check in at the polling place, a poll worker will give you a paper ballot, which you will mark with the pen provided. Be sure to verify with the poll worker that you are using the correct pen for the machine used in your polling place.

2. Mark your choice on the ballot by darkening the oval (above right) next to your candidate’s name or selection. Follow the directions carefully to be sure your mark will count.

3. To cast a write-in vote, there are two steps: first, darken the oval for the Write-In position in that contest. Second, write the name of the person you are voting for on the line next to the Write-In oval. You must complete both steps to be sure your write-in vote will be counted!

4. When you have made all the choices you wish to make, review your ballot carefully. If you have made a mistake marking your ballot, ask a poll worker for another ballot.

5. When finished making your choices, place your ballot in the ballot box. All ballots in your county will be counted at a central location after the polls close. Because your ballot is counted after you leave the polling place, you will not be alerted of any over-votes or under-votes.

IMPORTANT

Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

References

Integrity of Electronic Voting Systems: Fallacious Use of Cryptography, Computer Science and Engineering Department, University of Connecticut, 2011

Top to Bottom Review, California Secretary of State (2007)
Premier Source Code Report
Premier Red Team Report
Premier Documentation Report

Ohio EVEREST Review
Premier Executive Summary
Premier Technical Manager Report
Premier Technical Details Report
Final Academic Report
Systest Technical Report

Security Assessment of the Diebold Optical Scan Voting Terminal, UConn VoTeR Center and Department of Computer Science and Engineering,University of Connecticut, 2006


AccuVote OS

The AccuVote-OS is a precinct and central accumulation optical scan voting system. The AccuVote is a small system, and can be transported without excessive difficulty. When using the AccuVote-OS as a precinct based optical scan unit, ballots are processed in the polling place, not transported to a central location. Only the voter touches the ballot between the time it is cast and the time it is counted. The AccuVote-OS integrates the vote tabulation and recording process into one unit. The unit is powered with both an internal battery source and an external source. The AccuVote-OS is currently in use in 900 jurisdictions.

Note: The AccuVote OS was marketed, first by Unisys and then by Global Elections Systems as the ES 2000 and is still referred to by that name in some jurisdictions. When Diebold acquired Global in 2002, the name was changed to AccVote OS. (See Background below)

Premier Election Solutions, formerly Diebold Election Systems, was purchased in 2009 by Election Systems and Software (ES&S) and was subsequently sold to Dominon Voting following a 2010 antitrust settlement.

AccuVote OS Voting Instructions

1. After you check in at the polling place, a poll worker will give you a paper ballot, which you will mark with the pen provided. Be sure to verify with the poll worker that you are using the correct pen for the machine used in your polling place.

2. Mark your choice on the ballot by darkening the oval (above right) next to your candidate’s name or selection. Follow the directions carefully to be sure your mark will count.

3. To cast a write-in vote, there are two steps: first, darken the oval for the Write-In position in that contest. Second, write the name of the person you are voting for on the line next to the Write-In oval. You must complete both steps to be sure your write-in vote will be counted!

4. When you have made all the choices you wish to make, review your ballot carefully. If you have made a mistake marking your ballot, ask a poll worker for another ballot.

5. When done voting, take the ballot to the scanning machine and insert it face up. If you have voted for more candidates for a race than can be elected (“over voted”), the machine may reject your ballot and will offer you the opportunity to correct your mistake. You may choose to submit your ballot as is, or correct the over-vote by marking a new ballot. (If you submit as is, your votes will be counted for all races except the over-voted race.) If the scanner is not working, your ballot will be secured to be scanned later.

A Voting Demo from the CT Secretary of State:

A Pollworker Training Video from Fairfax County VA:

Security Concerns

Security Seals Ideally, the OS’s exposed ports, memory card access areas, ballot box doors and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Keys The keys for the AccuVote-OS are the same for all AccuVote-OS machines and are easily pickable with readily available tools. Care should be observed around the ballot box lock and the scanner key lock (turns the system off and on).

Ballot Box Access Optical scan systems have at least one and possible more ballot boxes. Each ballot box should be inspected by a voter at the beginning of voting to make sure that they are empty. These ballot boxes should locked and/or be sealed with tamper-evident tape.

Memory Card is Sensitive Corrupt memory cards may be able introduce viruses, cause the main election server to crash and falsify votes. Access to the memory card should be controlled, monitored and logged at all times.

Correct Inks Some Optical Scan systems have trouble reading red inks or inks with red in them. Voters should use the writing instrument provided at the polling place or, if voting at home, black ballpoint pen that does not bleed through paper.

Background1

In 1989, a precinct-count voting system emerged in the marketplace, the Unisys ES-2000. This was built under license from Data Information Management Systems of Ventura, California. DIMS held a patent granted to Kenneth D. Webb for a precinct-count voting system similar to the MTB-2 in that it used a long narrow single-column ballot. The ES-2000 was a vast improvement on Webb’s system in that it used standard-sized paper with a very flexible layout of rows and columns. Unisys Corporation was the result of the merger of two old computer giants, Burroughs and Sperry-Univac. The Unisys press release announcing the ES-2000 emphasized that voters could insert their ballots directly into the scanner and that, at the end of the day, the scanner would automatically upload the results into a Unix-based server at election headquarters.

By the Spring of 1990, Anoka County Minnesota had permission to use the ES-2000 in their primary and general elections that year. Unisys was now selling the ES-2000 under the trade-name Accu-Vote.

The ES-2000 was actually developed by another company, North American Professional Technologies. NAPT was founded by Clinton H. Rickards in 1983, and began development of the ES-2000 in 1986. Development of a new voting system is expensive, and by the time the ES-2000 came to market, NAPT was a subsidiary of Macrotrends International Ventures Inc. of Vancouver. [624,391] Macrotrends was a venture capital rm with a sometimes questionable reputation.[429] How did Unisys get involved? The answer is simple: marketing and service. Unisys computer systems were still widely used by governments at all levels in the 1980s, so the Unisys sales and service organization had good connections with people who might be willing to try a new computerized voting system.

The relationship with Unisys did not last. In late 1991, NAPT merged with Macrotrends to form Global Election Systems Inc. The corporation was technically Canadian, but the executive offices were in McKinney, Texas. Global immediately purchased a share in the patent rights of Data Information Management Systems. Through the decade of the 1990s, Global would grow to become a major force in the election equipment marketplace, largely on the strength of the AccuVote ES-2000.

In 2002, Diebold Inc., a well established manufacturer of bank vaults, automatic teller machines and other security-related products, bought Global to create Diebold Election Systems Inc. Global and Diebold continued to make the Accuvote ES-2000, although the name changed to the Accuvote OS, standing for Optical Scan, to distinguish it from the Accuvote TS, the touch-screen voting system that Global acquired with the purchase of I-Mark Systems.

References

Integrity of Electronic Voting Systems: Fallacious Use of Cryptography, Computer Science and Engineering Department, University of Connecticut, 2011

Top to Bottom Review, California Secretary of State (2007)
Premier Source Code Report
Premier Red Team Report
Premier Documentation Report

Ohio EVEREST Review
Premier Executive Summary
Premier Technical Manager Report
Premier Technical Details Report
Final Academic Report
Systest Technical Report

Security Assessment of the Diebold Optical Scan Voting Terminal, UConn VoTeR Center and Department of Computer Science and Engineering,University of Connecticut, 2006


AccuVote OSX

The Accuvote OSX is a precinct and central accumulation digital scan voting system.  When using the Accuvote OSX as a precinct based digital scan unit, ballots are processed in the polling place, not transported to a central location. Only the voter touches the ballot between the time it is cast and the time it is counted.  The Accuvote-OSX integrates the vote tabulation and recording process into one unit.  The unit is powered with both an internal battery source and an external source.

The AccuVote OSX scanner is a high-resolution image-based optical scanning device and ballot box. The unit comes installed with AccuVote OSX software, which runs on the Windows CE operating system. Election and ballot information defined in GEMS is downloaded to PCMCIA memory cards that are then installed on the AccuVote OSX voting devices. The AccuVote OSX user interface is a bright, four-line 3.5” liquid crystal display (LCD) which works in conjunction with two selector buttons just below it.  The AccuVote OSX Is configured to communicate with GEMS over a local area network, a modem, or a direct connection, and allows an administrator to select an option on the display by pressing one of the selector buttons for tasks that are performed Pre- and Post- Election. The LCD is covered with a locked compartment cover during the election.

The AccuVote OSX features a smart card and password system and supports user defined security keys. It produces reports, logs, and status messages on a thermal printer, generates audit log records for every transaction performed on the unit from the time it is powered on until it is powered off and protects access to the printer and memory card compartments, the rear of the unit where the power button, smart card reader, and communication connections are located. The AccuVote OSX ballot box features three bins. The main compartment is divided into two bins, and there is a third bin in the door of the box. The AccuVote OSX uses the two internal compartments according to conditions set in GEMS and allows for the use of the bin in the door until the AccuVote OSX is replaced by a new unit, should a unit fail on Election Day. Access to the ballot box is protected by doors using locked compartments.

Voting Process: Upon entering the voting precinct, the voter will receive a paper ballot; the voter shades in the paper ballot with any standard pen or pencil and inserts the ballot into the Accuvote OSX, where they are given a chance to review their votes. As votes are entered, the Accuvote-OSX stores the vote tallies on its internal memory card.  When the polls close, the Accuvote OSX then transmits the voting data from the polling place to the central host computer by way of a modem.

AccuVote OSX Voting Instructions

1. After you check in at the polling place, a poll worker will give you a paper ballot, which you will mark with the pen provided. Be sure to verify with the poll worker that you are using the correct pen for the machine used in your polling place.

2. Mark your choice on the ballot by darkening the oval (above right) next to your candidate’s name or selection. Follow the directions carefully to be sure your mark will count.

3. To cast a write-in vote, there are two steps: first, darken the oval for the Write-In position in that contest. Second, write the name of the person you are voting for on the line next to the Write-In oval. You must complete both steps to be sure your write-in vote will be counted!

4. When you have made all the choices you wish to make, review your ballot carefully. If you have made a mistake marking your ballot, ask a poll worker for another ballot.

5. When done voting, take the ballot to the scanning machine and insert it face up. If you have voted for more candidates for a race than can be elected (“over voted”), the machine may reject your ballot and will offer you the opportunity to correct your mistake. You may choose to submit your ballot as is, or correct the over-vote by marking a new ballot. (If you submit as is, your votes will be counted for all races except the over-voted race.)

6. If the scanner is not working, your ballot will be secured to be scanned later.

During EAC certification testing1, the AccuVote OSX was updated to account for an issue where system counter will reset to zero: A hardware reset was affecting the Protective System Counter (PSC), which was archiving the counter only during graceful shutdowns. The hardware reset was zeroing the counter without the current count being archived. The fix for this issue is to now archive the counter after each ballot cast. The modifications made to the PSC affect what the system looks for to trigger an archive of the count. Now, instead of waiting for a signal that the system is gracefully shutting down, the system looks for each event of a ballot being cast. Additionally, the date presented on results tape could be incorrect, as it was using the system date (UTC) instead of the local date. If generated in a time zone that was still in the current day, while the UTC time zone had transitioned into the next day, the results tape would have an incorrect date stamp. The fix for this issue was to reference the local date instead of the UTC date, so that when run in the same scenario that illustrates the issue, the results tape now reflects the correct date.

Security Concerns

Security Seals Ideally, the OSX’s exposed ports, memory card access areas, ballot box doors and case seams would be covered with tamper-evident security
seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be
logged to maintain chain of custody of sensitive materials.

Ballot Box Access Optical scan systems have at least one and possible more ballot boxes. Each ballot box should be inspected by a voter at the beginning of
voting to make sure that they are empty. These ballot boxes should locked and/or be sealed with tamper-evident tape.

Memory Card is Sensitive Corrupt memory cards may be able introduce viruses, cause the main election server to crash and falsify votes. Access to the
memory card should be controlled, monitored and logged at all times.

Correct Inks Some Optical Scan systems have trouble reading red inks or inks with red in them. Voters should use the writing instrument provided at the polling
place or, if voting at home, black ballpoint pen that does not bleed through paper.

References

Dominion Assure 1.3 EAC Modification Certification, 2012

Dominion Assure 1.3 EAC Modification Certification Test Plan, 2012

Premier Election Solutions ASSURE 1.2 VSTL Certification Test Report, 2009


AccuVote TS & TSx

The AccuVote TS and TSX are touch screen direct recording electronic voting machines that records votes on internal flash memory. Voters insert a “smart-card” into the machine and then make their choices by touching an area on a computer screen, much in the same way that modern ATMs work. Both systems offer a summary page once the voter has sequenced through the entire ballot, giving the voter an opportunity to verify their choices and to vote in any race they missed. The votes are then recorded to internal electronic memory.

The AccuVote TS/TSX are configured for each election by inserting a memory card into a slot behind a locked door on the side of the machine. The memory card is a standard PCMCIA flash storage card. Before the election, the file system on the memory card stores the election definition, sound files, translations for other languages, interpreted code that is used to print reports, and other configuration information. As each ballot is cast, the AccuVote TS/TSX stores an electronic record of the votes associated with that ballot onto a file on the memory card. At the close of polls, the AccuVote TS/TSX counts all of the votes and prints a summary tape showing the vote tallies. After the election, poll workers remove the memory card from the machine and send it to election headquarters so that the electronic vote records can be uploaded for tabulation.

Internally, the TSX contains much of the same hardware found in a general-purpose PC. It contains a 32-bit Intel xScale processor, 32 MB of internal flash memory, and 64 MB of RAM. The TSX runs version 4.1 of Microsoft’s Windows CE operating system with modifications written by Diebold. An application called BallotStation runs on top of the operating system and provides the user interface that voters and poll workers see. BallotStation interacts with the voter, accepts and records votes, counts the votes, and performs all other election-related processing. The TSX also contains a custom bootloader and other low-level support software.

Smart cards are used with the AccuVote TS/TSX to authenticate voters and poll workers. Each smart card is a piece of plastic in the shape of a credit card with an embedded computer chip that can communicate with the AccuVote TS/TSX when inserted into a slot on the side of the machine. Smart cards are used to authenticate voters. When a voter signs in, a poll worker gives them an activated voter card. The voter inserts the card into an AccuVote TS or TSX, and the machine allows her to cast one ballot. Once the vote has been recorded, the AccuVote TS/TSX deactivates the voter card so that it cannot be used to vote a second time. The voter returns the card to poll workers, who can reactivate it for subsequent voters. Alternatively, in some jurisdictions poll workers activate the voter card and then insert it into the AccuVote TS/TSX unit for the voter, so that voters do not have to insert it themselves. Supervisor cards are used to authenticate poll workers. The chief poll worker would normally be given a supervisor card. When the supervisor card is inserted into an AVTSX unit, the poll worker is presented with extra functionality not available to voters, such as the ability to close the polls or examine audit logs. Supervisor cards would normally not be provided to voters.1

A Voter Demonstration Video for the AccuVote TSX with VVPAT printer prepared by the Mississippi Secretary of State can be viewed here.

Voting Process: When the voter enters the precinct, he or she is given a smartcard by a poll worker after confirming the voter is registered. A smart-card is a card the size and shape of a credit-card which contains a computer chip, some memory and basic data such as the voter’s voting language and political party. The voter then takes the smart-card to a voting machine and inserts the smart-card into the machine to allow voting. After using the touch screen to vote, the record of the vote is directly recorded electronically to multiple, internal flash memory cards and the voter’s smart-card is reset to ensure that it can only be used to vote once. The smart-card pops out of the machine with a loud “click” and the voter returns it to a poll worker.

Checking the Voter-Verifiable Paper Trail: If the TSX is equipped with the voter-verifiable paper trail, the printer tape is located to the right of the touch screen, under transparent plastic. Voting takes place as described above however, at the conclusion of voting, a paper ballot is printed and displayed in the Accuview housing so that the voter can verify their selections before the ballot is deposited into a container within the printer module to await retrieval by poll workers.

Pollworker Information: When the polls close, a poll worker or election official inserts a different-type of smartcard, an administrator card, into each voting machine and puts the machine into a postelection mode where it will no longer record votes. At this point, the machine writes the votes from its internal memory to flash memory on a PCMCIA card, a removable form of flash memory. A printed tape of all votes cast or vote totals for the voting machine can also be printed out at this time depending on local procedure and regulations. The PCMCIA cards are taken out of each machine and either taken to a central tabulation facility or to remote tabulation facilities. At the tabulation facility the votes are read out of the PCMCIA cards and into a central computer database where precincts are combined to result in an aggregate vote. For remote facilities, the votes are transmitted to the central tabulation facility via a closed “Intranet”, the Internet or modem. The PCMCIA cards and any printouts from the voting machines can then become part of the official record of the election.

Security Concerns

VVPAT Cover There is an opaque cover on hinges over the VVPAT viewing window. This cover is intended to give voters with visual impairment a higher degree of ballot privacy since they use the audio ballot and do not use the VVPAT for verification. Unfortunately, this cover can be shut inadvertently or not reopened after a voter with sight impairment votes. This cover should always be open unless a disabled voter is using the TSx. In fact, the cover can easily be removed from its hinges and re-attached when necessary.

Memory Cards The TSx is susceptible to viruses transmitted through its memory card pack. Great care should be taken when handling the memory packs. A voter should never touch, remove or otherwise mess with the TSx memory pack. Poll workers should only do so after polls have closed and the election closed on each TSx terminal.

Security Seals Many jurisdictions wisely employ tamper-evident seals to indicate when a machine might have been compromised. These seals look like stickers with serial numbers on them. When removed, they change color or otherwise indicate that the seal is no longer covering the security-sensitive area it was before. It is important than any seal that reads “VOID” or similar that is still in place on a machine be reported immediately to poll workers. Places to expect security seals include over the power switch or “close polls” button, over the memory card or memory card cover and over the case seams (if someone gains access to the internals of a TSx
by removing its case they can install their own software on it).

Background2

Bob Urosevich, former president of American Information Systems, left AIS in 1995 to form I-Mark Systems. The new startup’s goal was to develop a voting kiosk that could be placed in shopping malls or other public places, with a “vote anywhere” model that eliminated the need for voters to go to their assigned polling places and had the potential to eliminate the need for pollworkers. The prototype I-Mark kiosk enclosed an IBM PC and its CRT video monitor in a laminate-covered pedestal. Input was done with a light pen (a wand the voter could touch to the screen to make selections). The PC ran Microsoft Windows 95. After the prototype had been demonstrated and certied for use in Kansas in mid 1997, a second version of the Electronic Ballot Station was built. The bulky desktop PC inside the kiosk was replaced with what was essentially laptop computer technology, an at-panel display with a touch-screen hinged to the top of a lightweight base that incorporated the computer and smart-card reader. It was marketed as the EBS model 100, and was certied for use in Kentucky in the fall of 1997.

I-Mark was acquired by Global Election Systems in 1997. As part of the acquisition, Bob Urosevich was appointed Vice President of Sales and Marketing at Global.[391] Since Global already had signicant market penetration with its Accuvote precinct-count ballot scanner, it was natural to rename the re-packaged EBS Model 100 the AccuVote-TS (for touchscreen), while the precinct-count scanner became the AccuVote OS (for optical scan). The AccuVote TS was ocially announced on November 7, 2000, simultaneously with its rst use in Mahoning County, Ohio. The announcement repeated Bob Urosevich’s vision of eventually migrating to the vote-anywhere model, while at the same time making clear that the AccuVote TS was fully functional as a stand-alone voting machine for precinct use. Diebold acquired Global Election Systems (GES) in January 2002. GES was renamed Diebold Election Systems (DES), and Robert Urosevich, who had been President of GES, became the CEO of DES.

After unsuccessful e fforts to sell the election systems subsidiary, Diebold Election System’s name was changed to Premier Election Solutions in 2007, and Premier was made somewhat independent of Diebold. On September 3, 2009 Diebold announced that the company had sold its election system business to ES&S for only $5 million. There was an immediate outcry, because the sale would have given ES&S control over more than 75% of the voting machine market. Sen. Charles Schumer (D) urged the Justice Department to probe the sale, warning that \Competition is needed to reduce chances of widespread election fraud.” About a week after the announced sale, Hart Intercivic led a lawsuit against Diebold and ES&S, claiming that the sale posed an “imminent threat of irreparable harm to other vendors like Hart.” On March 8, 2010 the Department of Justice announced that it was requiring ES&S “to divest voting equipment systems assets it purchased in September 2009 from Premier Election Solutions Inc. in order to restore competition.” Dominion Voting Systems, which purchased the assets that ES&S was forced to sell, subsequently purchased Sequoia Voting Systems.

References

Integrity of Electronic Voting Systems: Fallacious Use of Cryptography, Computer Science and Engineering Department, University of Connecticut, 2011

Top to Bottom Review, California Secretary of State (2007)
Premier Source Code Report
Premier Red Team Report
Premier Documentation Report

Ohio EVEREST Review
Premier Executive Summary
Premier Technical Manager Report
Premier Technical Details Report
Final Academic Report
Systest Technical Report

Security Analysis of the Diebold AccuVote-TS Voting Machine, Center for Information Technology Policy, Princeton University, September 2006.

Analysis of an Electronic Voting Machine, Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin, and Dan S. Wallach, IEEE Symposium on Security and Privacy 2004. IEEE Computer Society Press, May 2004

Trusted Agent Report – Diebold AccuVote-TS Voting System, RABA Technologies,  Jan. 20, 2004

DRE Security Assessment, Volume 1, Computerized Voting Systems, Summary of Findings and
Recommendations
, InfoSENTRY, 21 Nov. 2003

Direct Recording Electronic (DRE) Technical Security Assessment Report, Compuware Corporation, 21 Nov. 2003

Risk Assessment Report: Diebold Accuvote-TS Voting System and Processes (unredacted), Science Applications International Corporation SAIC-6099-2003-261, Sept. 2, 2003


Sequoia Voting Systems (now owned by Dominion)


Optech 400C

Optech 400-C Tabulation Server Monitor

The Optech 400-C is a high capacity scanner used by election officials to count ballots in a central location. The Optech 400-C originally developed by Business Records Corporation and later by both Sequoia Voting Systems and Election Systems and Software. As the result of an antitrust settlement, ES&S ceased production of the Optech 400-C in 1997 but continues to service the equipment in many jurisdictions. (In jurisdictions with maintenance contracts with ES&S the equipment is often called the Optech IV-C or Model 400.) Ballots are cast in precincts and placed in ballot boxes. The ballots are then delivered by two poll workers to the central count facility, where they are fed by an election official into the 400-C. Because it is used by election officials in a secure, central location, the 400-C does not provide voters with feedback about ballot problems.

The system consists of a high-capacity scanner linked to a PC running Microsoft Windows. The 400-C uses a proprietary tabulation program, WinETP, to process the ballots that it scans. WinEDS is used to configure the ballot definition files and precinct identifiers that instruct the 400-C’s as to how to interpret each ballot voter’s ballot marks. The ballot definitions are then transferred from WinEDS to the 400-C via removable media, such as USB sticks, DVDs, or floppy disks. When the 400-C is done tallying the results for the election, the results are copied from the 400-C onto a DVD or a memory cartridge and transferred to the WinEDS server. The WinEDS server combines these results with those from any Insight and Edge units used in the jurisdiction. Finally, WinEDS generates tally reports for the election.1

Sequoia Ballot InstructionsVoting Process

1. After you check in at the polling place, a poll worker will give you a paper ballot, which you will mark with a pen or pencil. Be sure to verify with the poll worker that you are using the correct pen for the machine used in your polling place.

2. Mark your choices on the ballot by completing the arrow  (or fill in the oval on ES&S ballots) next to your candidate’s name or selection. Follow the directions carefully to be sure your mark will count.

3. To cast a write-in vote, there are two steps: first, complete the arrow (or fill in the oval on ES&S ballots) to the Write-In position in that contest. Second, write the name of the person you are voting for on the line next to the Write-In arrow. You must complete both steps to be sure your write-in vote will be counted!

4. When you have made all the choices you wish to make, review your ballot carefully. If you have made a mistake marking your ballot, ask a poll worker for another ballot.

5. . When finished making your choices, place your ballot in the ballot box. All ballots in your county will be counted at a central location after the polls close. Because your ballot is counted after you leave the polling place, you will not be alerted of any over-votes or under-votes.

IMPORTANT

Over-Votes: If a voter casts votes for more than the allowable number of candidates in a contest or cast votes for and against an issue in a contest. Over-voted races cannot be counted. In jurisdiction using a central count voting method there is no way for a voter to be notified of an overvote so be very careful to vote for only the allowable number of candidates in any contest (in most cases one). If you do accidentally over-vote and you have not put your ballot into the ballot box, you can request a new ballot from an election official. You will be asked to sign a Spoiled Ballot Affidavit. You may “spoil” up to two ballots and receive another (three ballots total). Once you drop your ballot in the ballot box, no changes can be made.

References

Top to Bottom Review, California Secretary of State (2007)
Sequoia Source Code Report
Sequoia Red Team Report
Sequoia Documentation Report

New Jersey Sequoia Systems Report (2006)

California Use Procedures for Optech IV-C (2004)

California Test Report for Optech IIP-Eagle and 400C (2004)


Optech IIIP-Eagle

Optech_EagleThe Optech IIIP Eagle originally made by Business Records Corporation and later (as a result of merger and an antitrust decision, see below) by both Sequoia Voting Systems and by Election Systems and Software. (In jurisdictions with maintenance contracts with ES&S the equipment is often called the Optech 3P Eagle.) The Optech IIIP Eagle consists of two major parts, the ballot box (blue) and the head (white). The box is just that, a secure container for the ballots the machine has counted, while the head contains the scanner and electronics. The ballot box on the Eagle and most other precinct-count ballot tabulating machines contains three compartments. One compartment holds ballots that were not scanned by the machine. This compartment is considered an emergency feature; it is intended that it be used only if the scanner does not work, and in normal use, it is sealed shut. After the polls are closed, any ballots deposited in this compartment are typically fed through a working scanner by the precinct election workers or they are subject to a hand count.

Ballots are diverted into one or the other of the two remaining compartments inside the ballot box by a software controlled diverter mechanism. One compartment is for ballots that do not require human inspection, while the other is for ballots that must be hand inspected, for example, those containing write-in votes.

Voting Process

Optech Eagle Instructions

1. After you check in at the polling place, a poll worker will give you a paper ballot, which you will mark with a pen or pencil. Be sure to verify with the poll worker that you are using the correct pen for the machine used in your polling place.

2. Mark your choices on the ballot by completing the arrow next to your candidate’s name or selection. Follow the directions carefully to be sure your mark will count.

3. To cast a write-in vote, there are two steps: first, complete the arrow to the Write-In position in that contest. Second, write the name of the person you are voting for on the line next to the Write-In arrow. You must complete both steps to be sure your write-in vote will be counted!

4. When you have made all the choices you wish to make, review your ballot carefully. If you have made a mistake marking your ballot, ask a poll worker for another ballot.

5. When done voting, take the ballot to the scanning machine and insert it face up. If you have voted for more candidates for a race than can be elected (“over voted”), the machine may reject your ballot and will offer you the opportunity to correct your mistake. You may choose to submit your ballot as is, or correct the over-vote by marking a new ballot. (If you submit as is, your votes will be counted for all races except the over-voted race.)

6. If the scanner is not working, your ballot will be secured to be scanned later.

Background1

In 1985, CESI was acquired by Texas-based Cronus Industries, Inc., and folded into their voting equipment subsidiary, Business Records Corporation (BRC). The Optech precinct-count systems were quickly certified across the country, and some election officials even used them as central count systems, primarily for absentee ballots. Cronus spun off BRC in 1990. While BRC continued to develop the Optech line, James Narey briefly flirted with launching a competing product, the Megascan. The Megascan had two important new features that improved the usability of ballot formats. One was a system of markings that allowed the scanner to operate correctly, no matter how the ballot was inserted into the machine. This made it much easier for voters to insert their own ballots directly into the scanner.

The second feature was a new form of self-clocking voting target along with new marking instructions. Earlier mark-sense forms had used index marks along the edge to identify the locations of the voting targets. The self-clocking target used two closely-spaced index marks with a gap between them. Each pair of index marks was printed in the form of a broken arrow pointing to a candidate’s name, and voters are instructed to “connect the arrow” in order to vote for a particular candidate. Connecting the index marks with a straight line darkens the target region between them, exactly where the scanner looks for votes.

This new form of target had several advantages. First, it encouraged the voter to use a horizontal line connecting the head and tail of the arrow. A scanner that moves the page vertically is more likely to sense a horizontal line than other marks. Second, placing the timing marks adjacent to the target reduced the system’s sensitivity to paper shrinkage and small printing misalignments. Of course, with millions of people trained by various educational tests to \ll in the bubble,” this new target design posed human-factors problems simply by being different. Well written instructions should have eliminated such problems, but poor explanations are common on all government forms, including ballots.

By 1989, when the U.S. government issued a patent for Narey’s new ballot arrangement, he had sold the Megascan idea to BRC. It appears that the BRC Optech III scanner was, for all intents and purposes, the Megascan. BRC understood that large jurisdictions which used precinct-count scanners also needed central-count scanners to process absentee ballots, so they developed the Optech IV-C high-speed central-count scanner.  The Optech IV-C patent, granted in 1993, clearly states the value of scanning mark-sense voting targets with visible light instead of the infrared light used by most earlier scanners.

In late 1996, BRC agreed to sell its election business to AIS, which was by then the dominant manufacturer of central-count mark-sense voting systems. The Antitrust Division of the U.S. Department of Justice intervened, delaying the merger while they found a way to prevent the merged companies from forming an effective monopoly. The merger was finalized in 1997 after BRC sold the rights to the technology behind the Optech line of scanners to another vendor, Sequoia Pacific Systems. After this sale, the merged companies were reorganized as Election Systems and Software (ES&S). As a result of the agreement with the Justice Department, both ES&S and Sequoia supported the Optech scanner line, although Sequoia changed the product names to the Optech 300-P and Optech 400-C. Aside from the name change, the ES&S and Sequoia systems were essentially identical. ES&S, however, continued development of their own precinct-count scanner (Model 100), because they were forbidden to sell Optech scanners to new customers by their agreement with the Justice Department.

References

Security Evaluation of ES&S Voting Machines and Election Management System, Adam Aviv et al,USENIX, 2007

Voting System Security Review: Hart InterCivic eSlate, Diebold TSx/GEMS, AutoMARK/ES&S 100, Michael Shamos, 2006

New Jersey Sequoia Systems Report, 2006

California Use Procedure Manual for the Optech IIIP-Eagle, 2004

California Test Report for Optech IIP-Eagle and 400C, 2004


Optech Insight

The Optech Insight and the Optech Insight Plus are optical scan machines, which are used to read and tabulate ballots at the polling place. According to the California Secretary of State’s 2007 Top-to-Bottom Review of voting systems, the major difference between the Insight and the Insight Plus is that the Insight Plus has an LCD screen for displaying messages to voters. On both models, there is also a small four-digit LED screen that shows how many ballots have been accepted since the polls opened.

The Optech Insight consists of an electronic ballot counting device which reads completed ballots by scanning for the voters’ marks indicating their preferences. The scanner sits atop a ballot box. The Optech Insight also tabulates the results after the polls close, which are both printed on a paper copy and stored to an internal memory card. The Insight runs off both internal and external power to reduce the risk of malfunctions, and it can store voter data on an internal memory card.

Voting Process: Upon entering the polling place, the voter will receive a paper ballot. The voter makes choices on her ballot by connecting an arrow next to her choice of candidate or issue position.

The voter inserts the ballot into the scanner at the top of the device, which reads the marks on the ballot. If the voter has overvoted (voted for more candidates than eligible), the Insight will eject the ballot for the voter to review again, or deposit the ballot into the ballot box. If the voter has cast a write-in vote, the scanner will feed the ballot into a center bin so that pollworkers may process the write-in votes. Ballots that require no review by pollworkers are deposited into a rear bin. A front, auxiliary bin is available in case the machine is not functioning during polling hours; voters deposit ballots into the auxilary bin manually, but they will not be able to use the auxilary bin unless pollworkers have unlocked it.

As votes are entered, the Optech Insight stores the vote tallies on its internal memory card, and when the polls close, the Optech Insight prints out a paper copy of the election results for polling officials. The Insight has an optional modem for transmitting election results, and can also transmit results via a proprietary Sequoia device called a Hybrid Activator and Accumulator (HAAT). The HAAT accumulates results from machines in a polling place, and transmits them to the jurisidiction’s central election office via a wireless cellular network.

A Voter Demo from San Francisco CA:

A Pollworker Training Video from San Francisco CA

Security Concerns

Security Seals Ideally, the Insight’s exposed ports, memory card access areas, ballot box doors and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Ballot Box Access Optical scan systems have at least one and possible more ballot boxes. Each ballot box should be inspected by a voter at the beginning of voting to make sure that they are empty. These ballot boxes should locked and/or be sealed with tamper-evident tape.

Keys The keys for the Insight and Insight Plus models are the same for all machines and are easily pickable with readily available tools. Care should be observed around the ballot box lock and the scanner key lock (turns the system off and on).

Removable Memory Card is Sensitive Corrupt memory cards may be able introduce viruses, cause the main election server to crash and falsify votes. Access to the memory card should be controlled, monitored and logged at all times.

System Chip is Sensitive The main software chip on the Insight, the HPX chip, is easily replaceable with minimal access to an Insight scanner. A malicious HPX chip could count votes incorrectly, selectively accept or reject ballots and ignore system software updates.

Correct Inks Some models of the Optical Scan systems have trouble reading red inks or inks with red in them. Voters should use the writing instrument provided at the polling place or, if voting at home, black ballpoint pen that does not bleed through paper.

References

Top to Bottom Review, California Secretary of State (2007)
Sequoia Source Code Report
Sequoia Red Team Report
Sequoia Documentation Report


AVC Advantage

The Sequoia AVC Advantage is a poll worker-activated full-face direct recording electronic voting system with a touch-sensitive matrix of switches that voters push to indicate their choices. Voting records are recorded internally to battery-powered RAM. Poll workers activate the machine using an operator panel on the side of the machine to choose the ballot style and voters make choices by touching a black arrow next to their choice. A record of the vote is then recorded internally to three sets of battery-powered RAM memory. The primary input device used by the voter is a large panel, containing a two-dimensional array of buttons and lights. This panel is covered by a sheet of paper on which contests and candidate names are printed. Markings on the paper are placed over the buttons that are to be pressed for the corresponding candidates; the lights on the panel, when lit, are visible shining through the paper. On the side of the machine, an “operator panel” contains additional buttons and an LCD alphanumeric display with two rows of 24 characters each. During an election, before each voter can vote, a pollworker must press a button on the operator panel to “activate” the machine to accept votes.

The DRE ballot is laid out so that, to the layman, there is an intuitive connection between the candidate’s name (shown on a printed ballot sheet) and the input device (a button behind a sheet of plastic). In the hardware of the voting machine, however, there is no direct connection between the button and the vote counter. Observing the click of a button and accumulating a corresponding candidate total is totally under software control. Since there is no inherent internal connection between the buttons and the totals kept in memory and reported at the end of the election, erroneous or malfeasant software can readily add to the wrong total or make some other error at any time during an election, thereby misrecording votes. Even though the software produces a so-called “audit trail” of the results, it can always display an “audit trial” consistent with its fraudulent results, and report that it has performed correctly.

At the close of the polls, the AVC Advantage communicates vote totals to election officials and to the public: it prints a paper printout of candidate totals, it writes these totals (along with a record of the votes cast in each ballot, the “ballot image”) to a Results Cartridge, about the size of a VCR tape, that is then removed from the voting machine. Finally, it keeps these totals (with the ballot images) in its internal memory. Election workers can extract this information from the AVC Advantage by using the menu buttons on the Operator Panel: the machine can be instructed to print the internally stored data onto its printer, or copy it to a fresh cartridge.1

Voting Process: The voter enters the polling place and is given a voting ticket after confirming that the voter is registered. The voting ticket is a colored piece of paper with two identical and unique numbers. The voter hands their ticket to a poll worker operating an Advantage voting machine and then tears the voting ticket in half and hands one half back to the voter. The poll worker uses an operator’s panel on the side of the machine to choose the ballot style appropriate for that voter depending on the color of their voting ticket. The voter enters the curtains (see picture above) and verifies that their ballot is the right one by comparing the color of their ticket to a LCD screen in the lower-right corner of the front of the voting machine. Then the voter votes by pressing a black arrow next to each choice in each race on the ballot. Blinking lights above each race indicate that no choice has been made in that race. If the voter tries to choose more than one choice in a given race (over-voting), the machine will ignore the second choice. To change a selection, voter can press the black arrow by the incorrect choice to deselect it, then select the correct choice.

When done voting, the voter presses a “Cast Vote” button in the lower-right corner of the voting machine. It is very important that the voter does not push the vote-casting button until they are done voting; a vote inadvertently cast can likely not be redone. The vote is recorded internally to three sets of battery-powered RAM, one of which is on a removable cartridge. The vote records are stored in a manner similar to a ballot image.

When the polls close, poll workers remove cartridges of battery-powered RAM containing the vote records from each machine. At this point, depending on local election procedure and regulations, the cartridges can either be physically transported to a tabulation facility or their data can be sent over a modem. At the tabulation facility, the votes from all cartridges and precincts are read into vote tabulation databases and combined to result in an aggregate vote tally. In order to send vote records over a modem, a cartridge reader must read out each cartridge and then a modem in the cartridge reader can be used to transmit the votes over telephone lines. The cartridge reader can also print out a results tape of all votes cast in a precinct. The total tape and cartridges can then become part of the official record of the election.

 A Voting Demo from Bergen County NJ

 A Video about the AVC Advantage from NJTodayOnline:

Security Concerns

Security Seals Ideally, the Advantage’s exposed ports, memory card access areas and case seams would be covered with tamper-evident security seals. The integrity of these seals should be maintained at all times, and only breached under controlled, explained circumstances. Seals should be logged to maintain chain of custody of sensitive materials.

Broken Buttons, Broken Lights As mentioned above the Advantage is a “buttonmatrix” DRE where the voter presses a button over which the machine’s paper ballot face is placed (under a plastic cover). A light lights up next to each selection by the voter. These buttons and lights, especially the frequently used ones in Federal races, can break or burn-out. If you see evidence of this – e.g., a light not lighting up after multiple button presses – you should request that the machine be pulled from service or that the button in question be serviced.

Fleeing Voters/Premature Voting Some voters can be easily confused in that they press the vote button too early or not at all. If a voter complains that they only were able to vote on the first few races, they probably pressed the vote button before they were finished voting their ballot. Unfortunately, there’s not much to be done here other than emphasize that voters should make sure that they press the vote button only after they are certain they have voted as they want to in all races on the ballot. If a voter neglects to press the vote button and leaves a valid ballot on the machine, poll workers will probably have procedures to deal with this problem. We recommend that a poll worker reach in between the curtains and simply cast this vote.

Incorrect Ballot Style The Advantage can accommodate a number of different ballots, for different precincts, by disallowing voters to vote in contests for which they are not eligible. If a voter complains that their party (in a primary) races are not activated or that local races specific to their precinct are not activated, the poll worker probably pushed the incorrect ballot style option. The poll worker should cancel that ballot and activate the correct one.

Incorrect Totals Tapes The Advantage has been shown to incorrectly add up the number of voters given a particular ballot style when compared to the number of votes cast.

Sensitive Disability Access Panel The disability access panel on the Advantage is particularly sensitive. Viruses and other malicious programs, including some that could change vote data, could easily be introduced through the ADA accessibility interface. The flash memory used for audio files to accommodate voters with visual impairment should be sealed with tamper-evident seals and monitored at all times.

Misleading Activation When the Advantage is not activated to vote a valid ballot, it will still go through the motions in a way that will confuse voters into
thinking that they ballot was cast. It even goes as far as to say, “Vote recorded — thank you!”, despite the fact that it couldn’t have recorded the ballot since it was not activated to do so.

Background:2

The Sequoia AVC Advantage was introduced in 1990. James Bleck led the design team that led design patents on the machine in 1988.[94,95] Sequoia had purchased the voting machine division of AVM Corporation in 1984 and acquired not only a portfolio of patents for electronic voting machines, but also the AVM Automatic Voting Computer, a machine that had been certified for use in New Jersey and Pennsylvania in 1982. The machine appears to have been based on AVM’s final patent for an electronic voting machine, granted to Thomas De Phillipo in 1977, and is an obvious predecessor of the Sequoia AVC Advantage. None of the AVM patents demonstrates the sophistication in physical design of the AVC Advantage.

References

The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine, Andrew W. Appel et al, 2008

Insecurities and Inaccuracies of the Sequoia AVC Advantage 9.00H DRE Voting Machine (2008)

UCSD: The Case of Return-Oriented Programming and the AVC Advantage, 2009


AVC Edge

The Sequoia AVC Edge is a touch screen direct-recording electronic voting machine. It is a multilingual voting system activated by a smart card and  records votes on internal flash memory. Voters insert a “smart-card” into the machine and then make their choices by touching an area on a computer screen, much in the same way that modern ATMs work.The votes are then recorded to internal electronic flash memory. When polls close, the votes for a particular machine are written to a PCMCIA card which is removed from the system and either physically transported to election headquarters or their contents transmitted via computer network.

The AVC Edge has a 15-inch LCD touchscreen that displays the ballot; allows voters to make selections and navigate the ballot; and provides an interface for testing, maintenance, and opening and closing the polls. On the front of each Edge unit is a slot for a smart card (also known as a “vote activation card”). A voter must have an activated smart card in order to begin voting. After the voter casts his or her ballot on the Edge, the smart card is deactivated and returned to a pollworker. This prevents one voter from voting multiple times.

The back of the Edge contains the power switch and a switch that opens and closes the polls on that particular voting machine. The cover for the poll function switch accommodates a tamper-evident seal. Also on the back of each Edge unit is a yellow “Activate” button, which can be used to switch the Edge into different operating modes. Finally, the backside of the Edge has a small LCD screen (two rows of 20 characters) that displays diagnostic and error messages. Sequoia uses a proprietary operating system for the Edge. Similarly, the firmware that the Edge uses to control the hardware and to allow voting are proprietary applications. The Edge also contains three serial EEPROMs (electronically programmable read-only memory), which store permanent configuration information about the Edge unit as well as ballot counters. One of these EEPROMs is the “configuration ROM,” which holds information to identify the machine and the customer and also contains a “cryptographic seed value.” The other EEPROMs hold a public counter (a counter that is reset at the beginning of each election) and a protective counter (a counter that is incremented each time a vote is cast and is never reset).

The ballot definition and audio files to assist visually impaired voters are programmed on a WinEDS election management system server and stored on the Results Cartridge. Prior to an election, the Results Cartridge is inserted into the Edge’s Results Port and covered by a plastic door, which is sealed with a tamper-evident seal. The Results Cartridge also stores the Audit Trail, which consists of ballot images, ballot summaries, and the event log. The Edge also stores a copy of the Audit Trail in the internal Audit Trail memory. If the Results Cartridge is lost, damaged or destroyed, it can be recovered from this internal memory. Event logging for the Edge is always turned on; it cannot be disabled.

At the close of an election, a pollworker may print the audit log on a VVPAT. Alternatively, or in addition, election officials may access the event log stored as part of the Audit Trail on the Results Cartridge. Several other devices support the Edge. First, the Card Activator processes the smart cards (also known as “vote activation cards”) that voters use to access the Edge. After each use of a smart card, the Card Activator prepares the card for use by another voter. Before an election, each Card Activator must be prepared with the ballot definitions and other information appropriate for the precinct in which it will be used. An alternative to the Card Activator is the HAAT (Hybrid Activator, Accumulator, and Transmitter). There are two models of the HAAT, Model 50 and Model 100.

A Voter Demo Edge without VVPAT from York County PA:

A Pollworker Training Video from San Francisco CA:

Voting Process: When the voter enters the precinct, he or she is given a “smart-card” by a poll worker after confirming the voter is registered. A “smart-card” is a card the size and shape of a credit-card which contains a computer chip, some memory and possibly basic data such as the voter’s political party. The voter then takes the smartcard to a voting machine and inserts the smart-card into the yellow slot visible in the middle picture above. The first screen presented to the voter is one that allows him or her to choose the ballot language. After using the touchscreen to vote, 1) the record of the vote is directly recorded electronically to two flash memory cards and 2) the voter’s smart card is reset to ensure that the voter can only vote once. The AVC Edge may also be equipped in some precincts to print a voter-verifiable paper audit trail using the VeriVote printer. In this case, the voter will inspect the printout which is displayed underneath glass. If the paper accurately reflects the vote, the voter indicates so using the touchscreen and casts the vote; the printed paper is withdrawn into the machine to protect privacy. If the paper is incorrect, the voter may mark it as spoiled and change his or her vote using the touchscreen interface. After the vote is cast, the smart-card pops out of the machine and the voter returns it to a poll worker.

Checking the Voter-Verifiable Paper Trail: The Edge’s optional voter-verifiable paper-trail printer is called the VeriVote. The VeriVote printer is a cash-register type printer and is located to the left of the touch screen. Jurisdictions which use the Edge but do not equip their machines with the VeriVote include the state of Louisiana.

Spurred by the testimony of computer scientists at a hearing inSanta Clara County CA in January 2003, Sequoia Voting Systems was the first major vendor to produce a VVPAT retrot for their touch-screen voting machine, the Sequoia AVC Edge. A team led by John Homewood led for a provisional application in the Spring of 2003 and a full patent application in early 2004. The Sequoia system uses a thermal printer and a roll of cash-register receipt tape. After each voter completes a ballot on the display screen, the printed choices are displayed behind a glass window for voter approval, and then rolled onto a take-up reel before the next voter enters the voting booth. Unlike the Avante Vote Trakker, the tape is not cut after each ballot is printed. The Premier/Diebold AccuView VVPAT mechanism and the Hart Intercivic VBO also use thermal paper.1

When the polls close, a poll worker or election official inserts a different-type of smart card, an administrator card, into each voting machine and puts the machine into a postelection mode where it will no longer record votes. At this point, the machine writes the votes from its internal memory to flash memory on a PCMCIA card, a removable form of flash memory. A printed tape of all votes cast or vote totals for the voting machine can also be printed out at this time depending on local procedure and regulations. The PCMCIA cards are removed from each machine and either taken to a central tabulation facility or to remote tabulation facilities. At the tabulation facility the votes are copied from the PCMCIA cards and into a central computer database where precincts are combined to result in an aggregate vote. The votes may also be transmitted to the central tabulation facility via a closed “Intranet”, the Internet or modem. The PCMCIA cards and possible any printouts from the voting machines can then become part of the official record of the election.

Security Concerns2

Researchers contracted by the California Secretary of State for the State’s Top to Bottom Review in 20073 found significant security weaknesses throughout the Sequoia system. The nature of these weaknesses raises serious questions as to whether the Sequoia software can be relied upon to protect the integrity of elections. Every software mechanism for transmitting election results and every software mechanism for updating software lacks reliable measures to detect or prevent tampering. These weaknesses, and their implications, in Chapters 3 and 4 of the Source Code Report.

In certain cases, audit mechanisms may be able to detect and recover from some attacks, depending on county-specific procedures; other attacks may be more difficult to detect after-thefact even with very rigorous audits. There were numerous programming, logic, and architectural errors present in the software we reviewed. Some of these errors may be relatively harmless and reflect the large size and heterogeneous nature of the codebase. But other errors we found clearly have serious security implications. Many of the most significant vulnerabilities we found — those likely to be especially useful to an attacker seeking to alter election results — arise from four pervasive structural weaknesses:

Data Integrity The Sequoia system lacks effective safeguards against corrupted or malicious data injected onto removable media, especially for devices entrusted to poll workers and other temporary staff with limited authority. This lack of input validation has potentially serious consequences, including:

– Precinct election results stored on DRE Results Cartridges and optical scan memory packs are not effectively protected against tampering. A poll worker with physical access to a Results Cartridge or MemoryPack before results are counted (e. g. when returning results to the county elections board) can change recorded votes, and, in some cases, can introduce spurious results for other precincts. Under some conditions, a corrupted Results Cartridge may be able to cause damage to the WinEDS system itself when it is loaded for vote counting.

– The safeguards against introduction of corrupt firmware into the precinct voting hardware are largely ineffective. An individual with even brief access to polling station hardware can tamper with installed firmware in a way that causes votes and paper trails to be recorded incorrectly, security logs to be corrupted, or ballots to be presented to voters incorrectly. Under some configurations and conditions, corrupt firmware may be able to be spread virally from compromised hardware and may persist across more than one election.

Cryptography Many of the security features of the Sequoia system, particularly those that protect the integrity of precinct results, employ cryptography. Unfortunately, in every case we examined the cryptography is easily circumvented. Many cryptographic functions are implemented incorrectly, based on weak algorithms with known flaws, or used in an ineffective or insecure manner. Of particular concern is the fact that virtually all cryptographic key material is permanently hardcoded in the system (and is apparently identical in all Sequoia hardware shipped to different jurisdictions). This means that an individual who gains temporary access to similar hardware (inside California or elsewhere) can extract and obtain the secret cryptographic keys that protect elections in every jurisdiction that uses the system.

Access Control The access control and other computer security mechanisms that protect against unauthorized use of central vote counting computers and polling place equipment are easily circumvented. In particular, the security features and audit logs in the WinEDS back-end system (used for ballot preparation, voting machine configuration, absentee ballot processing, and post-election vote counting) are largely ineffective against tampering by insider attackers who gain access to WinEDS computers or to the network to which the WinEDS computers are attached.

Software Engineering The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overflows, format string vulnerabilities, and type mismatch errors. In general, the software does not reflect defensive software engineering practices normally associated with high-assurance critical systems. There are many instances of poor or absent error and exception handling, and several cases where the software behavior does not match the comments and documentation. Some of these problems lead to potentially exploitable vulnerabilities that we identified, but even where there may not be an obvious vulnerability identified, the presence of such errors reduces our overall confidence in the soundness of the system as a whole.

References

Security Evaluation of the Sequoia Voting System Public Report, Computer Security Group, Department of Computer Science, University of California, Santa Barbara (2008)

New Jersey Institute of Technology AVC Edge Report (2007)

Top to Bottom Review, California Secretary of State (2007)
Sequoia Source Code Report
Sequoia Red Team Report
Sequoia Documentation Report

DRE Security Assessment, Volume 1, Computerized Voting Systems, Summary of Findings and
Recommendations,
” InfoSENTRY, 21 Nov. 2003

Direct Recording Electronic (DRE) Technical Security Assessment Report,” Compuware Corporation, 21
Nov. 2003


Unilect Corporation


Patriot

The UniLect Patriot is a multilingual electronic voting system on which the voter presses on-screen to indicate his/her preference. Election officials program ballot information at a central location, load election data into an “InfoPack” which is then inserted into a Precinct Control Unit (above right). Individual terminals are connected together into the PCU to receive ballot data. Patriot voting devices, include a standard punch card type voting booth that folds up into an attache case.  The Voter Unit may contain either a 10.4″ (diagonal measurement) black and white screen or a 15″ color screen with 256 available colors. One precinct control unit (PCU) per precinct (30 lbs.), has an election worker control panel covering all aspects of running the activities in the precinct, a printer which allows the printing of precinct results as soon as the polls close, a battery to assure proper operation when “wall” electricity becomes unavailable, an InfoPack which contains the brains of the ballot as well as final vote totals, and an internal modem for direct transfer of totals from a standard telephone in the precinct to the Patriot Central Station, in the election office.

Voters make selections by pressing the box surrounding a candidate’s name, navigating through ballot pages by means of navigation buttons, review their ballots by means of a summary screen, and can go back and change selections before casting their final votes. Vote data is stored in redundant memory inside each terminal. After polls close, vote data is loaded back into the PCU and can then be transmitted via modem to a tabulation center.  Alternatively, the InfoPack” (which store the vote data from all of the terminals at the polling place) can be removed from the PCU and taken to a tabulation center.

Ballot information is generally programmed by city or county election officials and later delivered to polling places.  In order to create the ballots that will be used on the Patriot terminals, a menu-driven program is used to prompt the entry of all offices, candidates and propositions in order to “code” the election.  Election officials have the option to print out the ballot on paper for proofreading purposes. Ballot data is transferred to polling places in the form of an administrator interface loaded with precinct-specific data.  By placing an “InfoPack” (a little larger than a pack of cigarettes) into the “InfoPacket” attached to the PC, the necessary ballot instructions are electronically transferred from the election supervisor PC to the InfoPack (about 5 seconds). It is then inserted into the Precinct Control Unit (“PCU” – see above photo) for the appropriate precinct. It is tested, sealed and sent to the precinct along with the prescribed number of Patriot Voting Devices.

In order to load the proper ballots into the Patriot terminals, the precinct workers place the PCU on the table and set up each booth. These are then connected from one to another by a cord similar in size to a lamp cord. The PCU is then turned on. With the PCU in front of them, one of the precinct workers breaks the seal on the “Open Polls” latch, slides it open, and touches the red button underneath.  This immediately causes the printer to print a report showing all the candidates with zero totals.

Most jurisdictions using the UniLect Patriot for polling place voting emply Unilect software for tabulating absentee ballots. Unilect software is used in configuration with the VMR 138, a consumer off the shelf high speed printer made by Peripheral Dynamics. The Unilect Patriot has also been submitted for state certification in configuration with two other scanners, described as Model 1000 (high speed) and Model 20 (single feed).

Voting Process: After checking in at the polling place, a poll worker assigns the voter to a specific Patriot voting terminal. Where available, the voter selects his or her preferred language by pressing the appropriate on-screen button. The voter makes each candidate selection by touching anywhere in the box containing that name.  As each is selected, a red “x” appears next to the candidate’s name.  The voter may navigate forward or back through ballot screens by touching the appropriate navigation boxes at the top of the screen. If a mistake is made, the selected candidate’s box may be touched again (de-selecting him or her), and the new candidate selected. Write-ins may be electronically entered by touching the “Write-In” box for a particular office.  Immediately the screen changes to display an alphabet, and the write-in name may be spelled by touching the proper letters.

When finished voting, the voter presses the “Review Choices” on-screen button.  The summary screen will display the voter’s selections made to this point and will highlight those offices which were not completed by the voter.  At that point, the voter may press the “Make Ballot Changes” button to return to the ballot or “Record Ballot Now” button to cast his or her ballot. After the “Record Ballot Now” button is pressed, a green screen appears informing the voter that his or her ballot has been cast.

Unilect offers several accessibility features associated with the Patriot, although it is unclear if these features are readily available and installed on each terminal.  These include the ability to disconnect and move terminals to enable “curb-side” voting, headphones and different shaped response buttons to facilitate voting by the sight-impaired, etc.

Post-election Procedures: At the end of the election day, a seal is broken on the “Close Polls” latch, opened and an exposed red button is touched. Several copies of the final precinct report are automatically printed, showing the candidates and their vote totals.  Presumably, vote data is at this stage transferred back from the terminals to the PCU.  Where a standard telephone line is available, the line is inserted into the phone jack of the Precinct Control Unit.  All precinct totals are then transmitted directly to the Central Office PC.  It is unclear whether this process is automated or whether poll workers must take affirmative action to initiate this upload.  Another seal is then broken and the InfoPack is removed in order to be taken to a tabulation center.

At the tabulation center, each InfoPack (for precinct totals not sent by telephone) is inserted into a central PC equipped with the Patriot InfoPacket for a five (5) seconds to load the totals into the PC.  Throughout election evening, summary reports can be printed showing all of the up-to-the-minute totals as they are received (including all write-ins).

Carteret County North Carolina 2004

UniLect Patriot DREs were used in Carteret County, North Carolina for early voting in the 2004 election. Because the machine had a storage capacity of only 3005 ballots and the number of early voters far exceeded the machine’s capacity, 4438 ballots were lost. Only 2287 votes separated the Republican and Democratic candidates for state Agricultural Commissioner, and a rerun of the Agricultural Commissioner election seemed an obvious solution. The State Board of Elections’ decision to hold a revote in Carteret County only was struck down by the court. The Board of Elections then called for a statewide revote. That, too, was struck down, and the bitterly divided Board was ordered to resolve the election some other way. Eventually, 1352 affidavits were collected by the leading candidate from voters claiming to have voted for him.1 Since there were enough affidavits to guarantee the election of the leading candidate, and since the judge appeared ready to accept the affidavits, the other candidate conceded. This may be the first time that an election in the United States was decided by affidavits.2 The UniLect Patriot was decertified in Pennsylvania in 2005 and is now used only in Virginia.

Security3 The very design of Patriot makes it inherently much more secure than many competitive products. By not networking the Voter Units, using no operating system on the PCU and attaching no keyboard to either, the opportunities for malicious attack are significantly reduced. This does not mean that the system is invulnerable, however. At the Central Station, a capability for “manual edit” of vote totals is provided. This means nothing less than the ability change vote totals to any desired numbers. It is true that any totals must conform to the canvass, but this is commonly not understood by the public and is not understood at all by the legion of computer scientists who have criticized DRE voting as inherently unsafe. Nevertheless, the public perception that an insider can alter vote totals, even if those totals are not used to declare an official winner, makes it imperative that it be prevented.

The vendor pointed out that any effort to change totals would be logged in a log file, so we explored that path during the examination. The “log,” both on the PCU and the Central Station, consists of a file of information. On the Central Station, this is an unencrypted text file that is editable by the user. It is possible, therefore, for someone to alter the vote totals and then edit the log to remove any mention of the change. Furthermore, the log only records events that are initiated through the Patriot software. Functions performed through the Windows operating system interface, such as copying, deleting or substituting a file, are not logged at all. So another way of altering vote totals is to replace the totals file by another, and this will also not be logged.

The precinct log, maintained at the PCU, is rudimentary. It does not record each event of voting, but only gross milestones such as the opening and closing of polls. It is not possible to tell from the log, for example, how many voters voted. It also contains no record of provisional voting at all.  A solution to the problem of log file editing is to keep the log on a write-once device, such as a CD-R or a paper printer. In an implementation provided by UniLect in Texas, a paper log printer must be connected to the Central Station and no functions can be performed if the printer is not in “ready” condition. In this way it is not feasible to alter log records, although certain events can transpire that would still not be logged.

Reliability Among the complaints received about the Patriot system is that the touchscreen does not function reliably. That is, when a voter touches the screen, the touch is not necessarily sensed, which results in the voter incorrectly believing that she has cast a vote. This behavior was observed during the examination, when sometimes multiple depressions did not result in the touch being sensed. The vendor explained that the screen is made up of a large number of individual “pouches” and that it is necessary to press a pouch in order for the vote to be detected. At times, the voter may touch the screen between two pouches, which has no effect.

While it is satisfying to some degree to understand why the screen does not always function, such an explanation would be of little solace to a voter whose choice was ignored as a result. The screen is supposed to have 44 voting positions that can be sensed. These are not marked on the screen and the vendor stated that there is no effective procedure for testing whether all 44 positions are working.

A different but possibly related problem is that the system occasionally enters a mode in which no touch at all can be recorded anywhere on the screen. This behavior can be observed in the Pennsylvania re-examination in 2005. The screen froze up and would not respond to any input. While the vendor did not respond to entreaties to explain what he was doing or what the nature of the problem might be, his solution was to disconnect the non-functioning unit. I was not able to determine whether the condition was caused by a malfunction of the screen hardware or whether it was a software problem. Nevertheless, it was consistent with reports that have been received concerning DRE screen failures.

References

UniLect Patriot Evaluation, Michael Shamos for Pennsylania Secretary of the Commonwealth, 2005

First Re-examination of the UniLect Patriot, Pennsylvania Secretary of the Commonwealth, April 2005

Second Re-examination of the UniLect Patriot, Pennsylvania Secretary of the Commonwealth, May 2005


Unisyn Voting Solutions


OpenElect

The OpenElect Voting Optical (OVO) is a precinct-level, full-page, dual-sided optical scan ballot system, which scans and validates voter ballots and provides a summary of all ballots cast. The election is loaded from the OVS Election Server over a secure local network or via a USB thumb drive. On Election Day, an OVO at each polling location scans and validates voters’ ballots, and provides precinct tabulation and reporting. The OVO unit is also paired with the OVI for early voting to scan and tabulate early voting ballots. OVO units can also be used at election headquarters to read absentee, provisional, or recount ballots in smaller jurisdictions The OVO consists of the following components: a Personal Computer (PC), Transport Media, Ballot Reader, Printer, and an Uninterruptible Power Supply (UPS).

OpenElectOVI_2The OpenElect Voting Interface (OVI) supports both ADA and Early Voting requirements. The OVI enables voters during early voting to cast regional ballots and voters with special needs to prepare their ballots independently and privately on Election Day. The OVI unit features a 7-inch or optional 15-inch full-color touch screen display that is easy to read, making voting simple and error free. The OVI will present each contest on the correct ballot to the voter in visual and (optionally) audio formats. The voter with limited vision navigates through the ballot using the audio ballot and the ADA keypad or touchscreen input to make their selections. The voter validates his or her selections by listening to the audio summary, printing the ballot, and inserting it into the OVO.

The OVI facilitates special needs voters through a variety of methods including wheelchair access, sip & puff, zoom-in ballot function, and audio assistance for the visually impaired. The OVI provides for write-in candidates when authorized by the jurisdiction. Voters input candidates’ names via the ADA keypad, touchscreen or sip & puff device. Each OVI can support multiple languages for both visual and audio ballots, allowing the voter to choose their preferred language.

 

OpenElectOVCSThe Open Elect Voting Central Scan (OVCS) is a bulk scanner designated to read absentee and provisional ballots, and to perform recounts. The OVCS also captures Write-In data images and produces a Write-In image report for manual processing upon request. The OVCS consists of the following components: a Personal Computer (PC) Desktop and Bulk Scanner, typically a Canon DR-X10C.

Voting Process:
Once you have checked-In at the pollbook station and received your ballot go to a Ballot Marking Booth where a pen will be provided for you to mark your ballot. Follow the instructions at the top of your ballot. Fill in the oval to the right of the candidate’s name of your choice. If you are writing-in a candidate’s name please be sure to fill in the oval to the right of their name. Once you have marked your ballot take it to the OVO Scanner and insert it. (You may feed the ballot upside down to insure your privacy.) Wait until the scanner light turns from green to red back to green and the OVO screen thanks you for casting your ballot.


Search


State Audit Laws


State of Michigan Electronic Pollbook (EPB)

mi_epb_600403The State of Michigan Bureau of Elections decided to build their electronic pollbook (EPB) from scratch after an initial project in 2005-2006, with a full commitment to the project beginning in 2008. The EPB software is a unique download from the Qualified Voter File (QVF) software that can be loaded on to a laptop prior to each election. The software allows election inspectors to look up a voter’s registration record, confirm their registration is correct and assign a ballot to that voter, essentially automating the typical paper process. After the election is complete, the EPB software will generate reports to complete the official precinct record (paper pollbook) and a voter history file that can be uploaded into the QVF software to update voter history in a matter of minutes.

swipingcardThe EPB software runs on a consumer-off–the-shelf laptop (the State has specifically tested Dell Inspiron 15 3000 Series, and Dell Latitude E5440) running Windows 7,8,9, or 10. The QVF data is uploaded from a flash drive – the bureau of elections offers specific instructions for Verbatim and Bitlocker flash drives. Voters can have their driver license scanned or ask the pollworker to type their name to retrieve their registration information as some forms of id (e.g. student identification cards) cannot be read by scanner.

Michigan estimates that it pays about $600 per laptop computer and costs for development of the EPB system were less than $100,000. State and local officials are very pleased with the system, particularly because it is tailored to their needs. It has generally improved efficiency at the polling place and saves local election officials significant time by allowing for upload of voter participation directly into the statewide voter registration system.

Like Iowa’s system, the Michigan EPBs include on-screen instructions that guide the poll workers through the process, based on state laws. Michigan officials have noted that they feel that current commercially-available EPBs products are too generic and require considerable work to link with their statewide voter registration system. They emphasized that, despite representations made by some vendors, EPBs are not just “plug and play” systems. Vendor delivered EPBs require significant effort to initially configure and deploy, as well as additional effort to update as election laws and procedures change.1

The Michigan Bureau of Elections provides a wealth of information on its website, including an Operator Manual as well as other documents related to the use of EPBS.

Introductory viedo from the Michigan Bureau of Elections:

Training Video for Voter Check-In from the Michigan Bureau of Elections:

A series of e-pollbook tutorial videos can be viewed on YouTube here.


Still Work To Be Done

Still Five All-DRE States in 2017


Stock Donations to Verified Voting

Gifts of securities offer significant tax advantages for supporters of Verified Voting and are easy to make
Click here to make a stock gift or contact us at the number below for more information:

John DeCock
Executive Director
415-320-7736
johnd@verifiedvoting.org

Why Make A Stock Gift?

Most people are surprised to learn just how simple it is to donate appreciated securities. If you hold stocks, bonds or mutual funds that have risen in value, and you have held them long term (more than one year and one day), you can consider using them to make a gift.

Why might a stock gift be right for you? First, a donation of appreciated securities qualifies you for a charitable income tax deduction for the full fair market value of the security on the gift date. This amount may be generally deductible up to 30 percent of your adjusted gross income (always consult your tax advisor about your specific situation). When you transfer the securities directly to Verified Voting Foundation, you won’t incur capital gains tax. This allows you to gain a greater tax benefit than if you simply sold the securities yourself and donated the cash from the sale. Consistent with regulations covering stock gifts, Verified Voting Foundation receives the stocks then sells them and uses the proceeds to fund our work. It’s that simple. There is no minimum donation for an outright gift of stock.

Just follow the simple directions below:

Donating Stocks

Stock gifts can be directly transferred to our account at Charles Schwab. There are two accounts, one for Verified Voting Foundation (tax deductible) and one for VerifiedVoting.org (non-tax deductible). The account information for each account is shown below:

Verified Voting Foundation Securities Broker:
Charles Schwab
PO Box 52114
Phoenix, AZ 85072-2114
800.435.4000
DTC #: 0-164
Our account #: 9148-7174
Verified Voting Foundation
Federal Tax ID#: 20-0765743
Account type: Corporation
501(c)(3) Tax-Deductible
VerifiedVoting.org Securities Broker:
Charles Schwab
PO Box 52114
Phoenix, AZ 85072-2114
800.368.2704
DTC #: 0-164
Our account #: 6258-8777
VerifiedVoting.org
Federal Tax ID#: 20-0665713
Account type: Corporation
501(c)(4) Non Tax-Deductible

1. Provide written gift instructions to your bank or broker.

A sample communication might read:

“I wish to make a donation of “x” shares of “XYZ” Corporation. Please transfer the stock to Verified Voting Foundation via DTC as follows:” (Here you will provide the account information shown above, depending on whether your gift is to Verified Voting Foundation or Verified Voting.org).

2. Please send a copy of this correspondence Verified Voting Foundation:

By email: stockgifts@verifiedvoting.org

By regular mail:

Verified Voting Foundation
PO Box 460550
San Francisco, CA 94146

or by fax to 760-841-1880

3. Questions?

Contact John DeCock at stockgifts@verifiedvoting.org or call 415-320-7736


Successes

hhhhhh


Support Verified Voting

Please contribute to the effort for reliable and publicly verifiable election systems. You can choose to support either the Verified Voting Foundation, a 501(c)(3) nonprofit organization with tax-deductible contributions permitted to the extent provided by U.S. tax law, or VerifiedVoting.org, a 501(c)(4) nonprofit organization (contributions not tax-deductible).

Choose How You Wish to Donate
Verified Voting Foundation

The Verified Voting Foundation is
a 501(c)(3) non-profit corporation. Donations to the Verified Voting Foundation are tax-deductible to the extent provided by US tax law.

Donate: VV Foundation

VerifiedVoting.org

VerifiedVoting.org is a 501(c)(4) non-profit corporation to support our lobbying efforts. Donations to VerifiedVoting.org are not tax-deductible.

Donate: Verified Voting

The Voting News

The Voting News is a news service made possible by the Verified Voting Foundation. Please help us maintain The Voting News with a tax-deductible donation!

Donate: Voting News

Other Ways to Support Verified Voting

Donate via Paypal
Verified Voting Foundation




 

Donate via Paypal
VerifiedVoting.org




 

 

To donate by check, please make out your check to either Verified Voting Foundation (to receive a tax deduction) or VerifiedVoting.org (to support our legislative advocacy for better election systems, not tax deductible) and mail to:
Verified Voting
PO Box 460550
San Francisco, CA 94146-0550

Verified Voting Foundation
Federal Tax ID#: 20-0765743
501(c)(3) Tax-Deductible
VerifiedVoting.org
Federal Tax ID#: 20-0665713
501(c)(4) Non Tax-Deductible

For information on donating stocks, Click Here

To give from your donor advised fund, Click Here

When you use GoodSearch to search the internet or GoodShop for online purchases, the Verified Voting Foundation recieves a contribution at no cost to you.

Verified Voting greatly appreciates the support of individuals and grant-funding organizations that believe in transparent and publicly verifiable elections. It is our policy not to accept contributions from vendors of election-related equipment or services or any officers, directors or senior-level employees of any vendor. We also do not accept contributions from individuals currently standing for election. Both Verified Voting Foundation and VerifiedVoting.org may also refuse contributions where we feel that the contribution is intended to, or may be interpreted as, interfering with the independent, non-partisan judgment of the Verified Voting Foundation or VerifiedVoting.org staff or board on any issue.


Take Action

The right to have one’s vote counted properly is a cornerstone of our democratic system. Making sure that our election systems are reliable and publicly verifiable enfranchises voters and increases public confidence and participation in our political process. In addition to exercising your right to vote, there are many things you can do to help safeguard our elections.

Be a Poll Observer

The legitimacy of elections depends on transparency: the ability of voters, concerned citizens, federal observers, and watchdog groups to observe the process of the election. Although you cast your vote in private, and no one has the right to know how or for whom you voted, the procedures by which the election is run can and should be observed in a healthy democracy.

Poll monitors, or poll watchers (or election observers as they are sometimes called,) should observe the following election procedures, including but not limited to:

• Pre-election testing of voting equipment
• Poll-opening procedures as equipment is set up to run
• Procedures throughout the day as voters come to cast their ballots
• Poll-closing at the end of the day, including the posting of polling place vote totals
• Be Informed – learn about the equipment used in your State

Election Protection Hotline

Verified Voting is proud to be a partner in the nonpartisan Election Protection Coalition, which was formed to ensure that all voters have an equal opportunity to participate in the political process.

Through their state of the art hotlines: 1-866-OUR-VOTE (administered by the Lawyers’ Committee for Civil Rights Under Law) and 1-888-Ve-Y-Vota (administered by the National Association of Latino Elected and Appointed Officials Education Fund), the Election Protection Website, and comprehensive voter protection field programs across the country, the coalition provide Americans from coast to coast with comprehensive voter information and advice on how they can make sure their vote is counted.

Throughout the election process, Election Protection volunteers – more than 10,000 strong – will be entering data and information into OurVote live (a free tool from the Election Protection Coalition, the New Organizing Institute Education Fund, Craig Newmark’s craigconnects, and Ushahidi), an interactive environment painting the most comprehensive picture of election irregularities from the perspective of the voter available anywhere. Unique in the excitement of this political season, Election Protection focuses on the voter – not on the political horse race – and provides guidance, information and help to any American, regardless of who that voter is casting a ballot for.

We encourage you to download the Election Protection smartphone app! and call the hot line to report any issues or problems that you observe or experience in the process of going to the polls. That number again is 1-866-OUR-VOTE. In Spanish, 1-888-VE-Y-VOTA.


The Voting News

Do Not Delete, this page is the placeholder for the Voting News


The Voting News Needs You!

At Verified Voting, we work hard throughout the year at safeguarding elections in the digital age. A key component of that work is the Voting News, which delivers all the voting issue information you need, when you need it. This vital and unique service brings together, in one convenient place, news you need about elections and voting both US and international.  It not only saves you time, the Voting News also provides an archive of these relevant news stories. If you find it useful, please consider a gift in support! 2014 is a major election year, and you won’t want to miss any of it.

Verified Voting is more than just the Voting News, too…

Some highlights from 2013

• We released our landmark report, “Changes Ahead: A Look at Voting System Testing and Certification”, funded by the Irvine Foundation as part of a collaboration with our Future of California Elections (FoCE) partners. The report looks at what’s working and what’s not, in how we go about testing and approving voting systems for use. One reviewer called it “the best primer for non-voting system techies about how the approval and certification process works and the current landscape along with challenges and opportunities.”

• With our partners, we worked to hold off movement toward Internet voting until NIST develops security standards for Internet voting. In a report published this year, the Federal Voting Assistance Program of the Department of Defense now states that Internet voting’s security vulnerabilities make postal mail the preferred method of ballot return.

• We participated in the NIST/DHS workshops on developing a framework for improving cyber security critical infrastructure, submitting official comments to NIST on the security implications for election technology and administration.

• We submitted testimony to the President’s Commission on Election Administration, and addressed the Commission on a panel in August about the impact of technology on voting system preparedness and long lines.

• We increased our engagement of stakeholders including foundation representatives, election administrators and the next generation of voting rights advocates through our participation in multiple events and conferences throughout the year.

• In a year which saw a significant shift in the voting rights landscape, we worked with other voting rights advocates to support protecting voters from unverifiable voting systems and Internet voting as a continuum of voting rights work.

Verified Voting is riding a wave of accomplishment into 2014 and the mid-term elections. Your support is critical to building on our momentum. Make your donation by the end of the year and it will be doubled by a generous donor who has agreed to match contributions up to a total of $20,000!

Click here to make your 2013 tax-deductible donation today:  https://www.verifiedvoting.org/donate/

Best wishes for a joyous holiday season,

Barbara Simons, Board Chair
Pamela Smith, President


Two Things You Can Do To Help Secure Your Vote

usamapclipThe hack of the DNC emails, and the recent FBI alert about Arizona and Illinois’ voter registration systems being breached, are bringing a lot of attention to the importance of ensuring our voting systems are secure. In talking to the media, it’s challenging to tread between making sure voters aren’t scared away, and still making clear why we need long-term changes in our nation’s voting systems.

So keep in mind these two most important things: check your registration, and show up to vote, no matter what kind of voting system you’ll use.

Here’s just a sample of recent press coverage:

Washington Post: Online voting could be really convenient. But it’s still probably a terrible idea.

Casting your vote online could mean sacrificing the right to a secret ballot and leaving elections more vulnerable to fraud, according to a report … by the Electronic Privacy Information Center, the Verified Voting Foundation and the Common Cause Education Fund. […] Internet voting — either via email, electronic fax or online portals — is allowed in 32 states and the District, according to Verified Voting. Most often, the option is limited to military and overseas voters.

CNN Money: Just How Secure Are Electronic Voting Machines?

We’ve officially entered the era of the hackable election…. five states (Georgia, Delaware, Louisiana, South Carolina and New Jersey) use electronic voting machines that leave no way to audit results after the fact, according to Pamela Smith, president of Verified Voting, which advocates for transparency in voting machines.

NBC News: Election Systems Not Part of “Critical Infrastructure”
David Jefferson, [a Verified Voting board member]… said reforms have mitigated the threat of hacking, and noted that most states now have some system that includes a paper printout of electronically cast votes should any problem occur. But he said that a few states still don’t have such a rule, and… 25 states allow at least some voting by internet or email, and all states have some kind of on-line registration. Jefferson said those systems are wide open to hacking.

NPR, All Things Considered: Electronic Voting Systems Leave Elections Vulnerable to Tampering
“Wherever there’s a fully electronic voting system, there’s potential for tampering of some kind,” said Pamela Smith, president of Verified Voting. She says her nonprofit group has been warning about such tampering for years.

Wired: America’s Voting Machines Are Sitting Ducks

Three-quarters of the country will vote on a paper ballot this fall, says Pamela Smith, president of Verified Voting, a group that promotes best practices at the polls. Only five states—Delaware, Georgia, Louisiana, South Carolina, and New Jersey—use “direct recording electronic” (DRE) machines exclusively. But lots of other states use electronic machines in some capacity. Verified Voting also has a handy map of who votes using what equipment, which lets you drill down both to specific counties and machine brands, so you can see what’s in use at your polling station.

Newsweek: Could the Presidential Election Be Stolen?

The majority of Pennsylvania counties still use electronic voting systems without paper printouts, making them much more vulnerable to glitches or intentional meddling that would be more difficult to catch and correct. But it’s also worth noting that a mix of 10 different electronic voting machine models are at use in the state, according to data compiled by Verified Voting, making it that much more complicated for a would-be hacker to try to alter votes in multiple jurisdictions.

Politico: Hacker Threat Extends Beyond Parties

It’s so decentralized and you’ve got big counties and small, counties that have a whole IT staff in their office, and counties that have nothing remotely like that, and their election officials are part-time,” said Pamela Smith, president of election watchdog Verified Voting. “There’s a broad diversity of jurisdictions.”

 

We continue to respond to inquiries from the press as this story unfolds. This situation is showing why we need to promote better, more secure election systems.

Thanks for standing with us.

– Pam

Pamela Smith, President

Verified Voting Foundation

Ps – In case you missed our last email, know that you can make a difference in your community by volunteering as a poll worker. Click here to find out more. If you are unable to volunteer yourself, please forward this message to a friend.

 


Verified Voting announces appointment of John DeCock as new Executive Director

CARLSBAD – Verified Voting, the nation’s leading election integrity organization, today announced the appointment of John DeCock as our new Executive Director.

“We are delighted to have John join our team,” said Verified Voting President Pamela Smith. “John’s appointment signals an important step in our efforts to safeguard elections and to support each voter’s right to cast an effective ballot. John’s exceptional skills and experience will support our outreach and ability to share our resources with a broad range of communities, from voters to policymakers to election officials and more. Working together with John, I am certain that we will continue making vital contributions towards achieving reliable and publicly verifiable elections.”

“There is nothing more fundamental to our Democracy than the right to vote and the knowledge that each vote matters and will be properly counted,” said DeCock. “I am looking forward to working with the talented staff and board at Verified Voting, as well as with the many experts who have collectively achieved so much. There still is much to do to improve the systems by which we cast our votes and to guarantee that every voter knows that his or her vote is counted as cast.”

Verified Voting Board Chair Barbara Simons added, “I am thrilled that John is joining Verified Voting. We are confident that he will contribute significantly to our efforts to ensure that our country enjoys the most accurate, reliable, accessible, usable, and secure voting systems possible.”

Mr. DeCock has worked in the non profit sector for 35 years. He has served as Executive Director of The Sierra Club Foundation and Chief Executive Officer of Clean Water Action. During the course of his career, he has been very involved in electoral activity, including leadership of bipartisan voter registration and Get Out The Vote initiatives. He was a member of the Executive Committee of America Votes and has participated in collaborative electoral work in partnership with a diverse array of organizations. He resides in San Francisco, California.

Verified Voting consists of VerifiedVoting.org, a non-profit advocacy organization, and the Verified Voting Foundation, a non-profit charitable organization for public education. Together, the two organizations work to achieve evidence-based elections and transparent processes through best practices in the deployment of accessible, secure, voter verifiable systems and to provide comprehensive resources to advocates, media, voters and election officials nationwide.

 


Verified Voting Board of Advisors

Verified Voting’s goals and strategies have been developed in consultation with many others who are on our Board of Advisors. All members of our Board of Directors are also on the advisory board.

appel_150Andrew W. Appel, Ph.D., is the Eugene Higgins Professor of Computer Science at Princeton University, where he has been on the faculty since 1986. He served as Department Chair from 2009-2015. His research is in software verification, computer security, programming languages and compilers, and technology policy. He received his A.B. /summa cum laude/ in physics from Princeton in 1981, and his PhD in computer science from Carnegie Mellon University in 1985. He has been Editor in Chief of ACM Transactions on Programming Languages and Systems and is a Fellow of the ACM (Association for Computing Machinery). He has worked on fast N-body algorithms (1980s), Standard ML of New Jersey (1990s), Foundational Proof-Carrying Code (2000s), and the Verified Software Toolchain (2010s).  He is the author of several scientific papers on voting machines and election technology, served as an expert witness on two voting-related court cases in New Jersey, taught a course at Princeton on Election Machinery, and was a member of the 2017-18 National Academy of Sciences  study committee on the Future of Voting.

bellovin-150Steven M. Bellovin is the Percy K. and Vidal L. W. Hudson Professor of computer science at Columbia University and member of the Cybersecurity and Privacy Center of the university’s Data Science Institute. He is the Technology Scholar at the Privacy and Civil Liberties Board. He does research on security and privacy and on related public policy issues. In his copious spare professional time, he does some work on the history of cryptography. He joined the faculty in 2005 after many years at Bell Labs and AT&T Labs Research, where he was an AT&T Fellow. He received a BA degree from Columbia University, and an MS and PhD in Computer Science from the University of North Carolina at Chapel Hill. While a graduate student, he helped create Netnews; for this, he and the other perpetrators were given the 1995 Usenix Lifetime Achievement Award (The Flame). Bellovin has served as Chief Technologist of the Federal Trade Commission. He is a member of the National Academy of Engineering and is serving on the Computer Science and Telecommunications Board of the National Academies of Sciences, Engineering, and Medicine. In the past, he has been a member of the Department of Homeland Security’s Science and Technology Advisory Committee, and the Technical Guidelines Development Committee of the Election Assistance Commission; he has also received the 2007 NIST/NSA National Computer Systems Security Award and has been elected to the Cybersecurity Hall of Fame.

Bellovin is the author of Thinking Security and the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds a number of patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs; he was also a member of the information technology subcommittee of an NRC study group on science versus terrorism. He was a member of the Internet Architecture Board from 1996-2002; he was co-director of the Security Area of the IETF from 2002 through 2004.

Matt Blaze is a computer science professor at the University of Pennsylvania, where his research focuses on secure systems, cryptography, surveillance, and the intersection of technology and public policy. He has led technical reviews on several voting systems commissioned by the states of California and Ohio.

Cindy Cohn is the Executive Director of the Electronic Frontier Foundation. From 2000-2015 she served as EFF’s Legal Director as well as its General Counsel. Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography. The National Law Journal named Ms. Cohn one of 100 most influential lawyers in America in 2013, noting: “[I]f Big Brother is watching, he better look out for Cindy Cohn.” She was also named in 2006 for “rushing to the barricades wherever freedom and civil liberties are at stake online.”  In 2007 the National Law Journal named her one of the 50 most influential women lawyers in America. In 2010 the Intellectual Property Section of the State Bar of California awarded her its Intellectual Property Vanguard Award and in 2012 the Northern California Chapter of the Society of Professional Journalists awarded her the James Madison Freedom of Information Award.

Lillie Coney is currently the Legislative Director for Representative Sheila Jackson Lee, previously she was the Associate Director of the Electronic Privacy Information Center in Washington, DC. In 2009 Lillie was appointed to the Election Assistance Commission Board of Advisors. She wrote the chapter “Mobilize Underrepresented Voters” in The New York Times bestseller, 50 Ways to Love Your Country. She co-chaired the 2011 Computers Freedom and Privacy Conference: the Future is Now, and chaired the Public Voice Conferences in 2010 and 2011.

Larry DiamondLarry Diamond, Ph.D. is a senior fellow at the Hoover Institution and at the Freeman Spogli Institute for International Studies at Stanford University, where he teaches courses and conducts research on comparative democratic development.  Diamond is the founding co-editor of the Journal of Democracy and a Senior Consultant at the International Forum for Democratic Studies of the National Endowment for Democracy. A former director of the Center on Democracy, Development, and the Rule of Law at Stanford, he is the co-founder and principal investigator of its Program in Liberation Technology and co-editor of Liberation Technology: Social Media and the Struggle for Democracy (Johns Hopkins University Press, 2012).

Richard DeMillo is the Charlotte B. and Roger C. Warren Professor of Computing and Professor of Management at Georgia Tech. He founded and directs the Center for 21st Century Universities, Georgia Tech’s living laboratory for fundamental change in higher education. He was named Lumina Foundation Fellow in recognition of his work in higher education. He was formerly the John P. Imlay Dean of Computing at Georgia Tech where he led the design and implementation of the Threads program. His 2011 MIT Press book “Abelard to Apple: The Fate of American Colleges and Universities,” which helped spark the national discussion of the future of higher education, was inspired by this experience. A sequel entitled “Revolution in Higher Education: How a Small Band of Innovators will make College Accessible and Affordable” was published by MIT Press in 2015 and was named best education book of 2015 by the National Publisher’s Association.

Prior to joining Georgia Tech, he was Hewlett-Packard’s Chief Technology Officer. He led HP through technology revolutions in super computing, printing, open source software, information security, and nanotechnology. He has also held leadership positions at Bellcore, where he oversaw Computing Research, and the National Science Foundation, where he directed the Computer and Computation Research Division. His research contributions include computer security, cryptography, software engineering, and theoretical computer science. He directed Georgia Tech’s Information Security Center, and served as an election observer for the Carter Center. He has served on boards of public and private cybersecurity and privacy companies, including RSA Security and SecureWorks. He is a Fellow of both the Association for the Advancement of Science and the Association for Computing Machinery.

Jeremy Epstein is Deputy Division Director of the National Science Foundation’s Computer & Network Systems Division, where he manages a $350M research portfolio in security, networking, cloud computing, cyber physical systems, and computer science education across US colleges & universities. Prior to this position, he was a Senior Computer Scientist with SRI International in Arlington VA. From Feb 2016-Jan 2017, he was on loan from SRI to the U.S. Defense Advanced Research Projects Agency (DARPA), where he led privacy and security research programs. From 2012-2015, he was on loan from SRI to the U.S. National Science Foundation, where he lead NSF’s flagship cybersecurity research program, overseeing a portfolio of 800 research grants and $75M/year. He has been a researcher in voting system security for over a decade, and was one of the authors of the Election Assistance Commission’s risk assessment model research program. He served as a consultant to the Kentucky Attorney General, an appointed member of two Virginia legislative committees, an advisor to the DC City Council and to the Federal Voting Assistance Program, all on issues relating to voting system security. He was the IEEE representative on the Technical Guidelines Development Committee, which advises the Election Assistance Commission on voting system security standards. Jeremy is experienced in how commercial technology is built, having spent nine years as an executive responsible for product security at a mid-size software vendor. Jeremy holds an M.S. in Computer Science from Purdue University.

EfrainEfrain Escobedo is the vice president in charge of civic engagement, multisector collaboration and public policy at California Community Foundation, responsible for promoting collaboration and advocacy efforts across the nonprofit, public and private sectors to address community problems. He is recognized nationally and locally as an active leader and expert in Latino civic engagement and elections policy. He has worked extensively with academia, civic and community organizations, as well as with elected officials in developing research, strategies and program to increase voter participation.

Prior to joining CCF, Escobedo was the manager of governmental and legislative affairs for the Registrar of Voters in Los Angeles County, the largest election jurisdiction in the nation with more than 4.5 million registered voters. There, he worked with elected officials to enact numerous initiatives aimed at making the voting process easier for Angelenos, including the electronic delivery of sample ballots and the authorization of online voter registration. Escobedo also served as senior director of civic engagement for the National Association of Latino Elected and Appointed Officials (NALEO) Educational Fund, where he led the development of innovative voter contact strategies and technologies that have helped to engage more than one million young, newly registered and infrequent Latino voters across the country. Escobedo earned his bachelor’s degree in American studies and ethnicity from the University of Southern California and is a recent graduate of the Los Angeles County Executive Leadership Program.

FarberDave Farber was appointed to be Chief Technologist at the US Federal Communications Commission in 2000 and has served on the US Presidential Advisory Board on Information Technology and the FCC’s Technological Advisory Council. Prof. Farber was also appointed to the Advisory Council or the CISE Directorate of the National Science Foundation and is a Trustee of the Electronic Frontier Foundation. He is a Visiting Professor of the Center for Global Communications of Japan — Glocom of the International University of Japan, a Member of the Advisory Board at the National Institute of Informatics of Japan and a Member of the Advisory Boards of both the Center for Democracy and Technology and EPIC. He was named in the 1997 edition of the UPSIDE’s Elite 100, as one of the Visionaries of the field and was named in the 1999 Network World as one of the 25 most powerful people in Networking. In 2002 he was named by Business Week as one of the top 25 leaders in E-Commerce. His industrial experiences are extensive, just as he entered the academic world; he co-founded Caine, Farber & Gordon Inc. (CFG Inc.) which became one of the leading suppliers of software design methodology. His consulting activities include Intel, the RAND Corp among others. He is also on a number of industrial advisory and management boards, major among these are NTT DoCoMo, Boingo, Rainmaker and E-tenna.

FeltenEdward W. Felten, Ph.D. is a Professor of Computer Science and Public Affairs at Princeton University, and the founding Director of Princeton’s Center for Information Technology Policy. In 2011-12 he served as the first Chief Technologist at the U.S. Federal Trade Commission. His research interests include computer security and privacy, especially relating to media and consumer products; and technology law and policy. He has published about eighty papers in the research literature, and two books. His research on topics such as web security, copyright and copy protection, and electronic voting has been covered extensively in the popular press. His weblog, at freedom-to-tinker.com, is widely read for its commentary on technology, law, and policy. He is a member of the National Academy of Engineering and the American Academy of Arts and Sciences, and is a Fellow of the ACM. He has testified before the House and Senate committee hearings on privacy, electronic voting, and digital television. In 2004, Scientific American magazine named him to its list of fifty worldwide science and technology leaders. In May 2015 he was appointed deputy chief technology officer in the White House’s Office of Science and Technology Policy.

Lowell Finley is an attorney with a long history of involvement in election integrity issues.  In 2003, he brought the first successful lawsuit against a voting system manufacturer for misrepresenting the security capabilities of its product while marketing it to a county elections department.  That case, under the California False Claims Act, resulted in $2.6 million in payments to state and local agencies and an injunction, requiring Diebold Election Systems, Inc., to strengthen the security protocols employed with its Accuvote TS touchscreen voting machines and vote tabulation servers.  He was co-founder and co-director of Voter Action, a nonprofit that litigated state constitutional challenges to the use of paperless touchscreen voting systems in California, Arizona, New Mexico, Colorado and Pennsylvania in 2005 and 2006.  From 2007 to 2014, he served as Deputy Secretary of State for Voting Systems Technology and Policy under California Secretary of State Debra Bowen.  In that capacity, he oversaw the 2007 Top To Bottom Review of the voting systems used in California, conducted in collaboration with computer security experts from the University of California, Princeton, Rice and other universities, which led to the decertification of several voting systems and eventually to the adoption of new, comprehensive voting system certification standards.  He also served as California’s representative on the Standards Board of the U.S. Election Assistance Commission.  He holds a B.A. from the University of California, Santa Cruz, and a J.D. from the University of California, Berkeley School of Law.

Michael J. Fischer, Ph.D. has been Professor of Computer Science at Yale University since 1981. He has an M.A. (1965) and a Ph.D. (1968) from Harvard University. Professor Fischer supervised Josh Benaloh‘s dissertation, “Verifiable Secret-Ballot Elections” (1987), which was the first distributed voting protocol to simultaneously achieve voter privacy and voter verifiability. Professor Fischer is a founding member of TrueVoteCT.org, a public-service organization that helped to bring verifiable optical scan voting technology to Connecticut. He was appointed by Connecticut Governor Jodi Rell in 2005 to the short-lived Voting Technology Standards Board, where he was elected Vice-chair by its members. His research interests include theory of distributed and parallel computing, cryptography, and computer security.

J. Alex Halderman, Ph.D. is an assistant professor of computer science and engineering at the University of Michigan. His research spans computer security and tech-centric public policy, including topics such as software security, data privacy, electronic voting, censorship resistance, and cybercrime, as well as technological aspects of intellectual property law and government regulation. He holds a Ph.D. from Princeton University. A noted expert on electronic voting security, Prof. Halderman helped demonstrate the first voting machine virus, participated in California’s “top-to-bottom” electronic voting review, and exposed election security flaws in India, the world’s largest democracy. He recently led a team from the University of Michigan that hacked into Washington D.C.’s Internet voting system. In his spare time, he reprogrammed a touch-screen voting machine to play Pac-Man.

Mark Halvorson is the founder, former director and current board member of Citizens for Election Integrity Minnesota. He has observed four statewide recounts, six statewide audits and has recruited and trained many non-partisan observers. In 2007 Mark helped to organize the first national Audit Summit.  He created the audit and recount state laws searchable databases and was an executive editor of Principles and Best Practices of Post-Election Audits as well as Recount Principles and Best Practices. He served on the Brennan Center Audit Panel and the national League of Women Voters audit working group. Mark was the recipient of the Election Verification Network’s 2017 John Gideon Memorial award for his long standing and highly effective advocacy for election integrity.

HellmanMartin E. Hellman, Ph.D. is Professor Emeritus of Electrical Engineering at Stanford University and best known for his invention, with Diffie and Merkle, of public key cryptography. This technology allows electronic banking and other secure transactions on the Internet, and protects literally trillions of dollars daily. Prof. Hellman has been a long-time contributor to the computer security debate, starting with his efforts in the mid 1970s to improve the security level of the Data Encryption Standard (DES). In the mid 1990s he served on the National Research Council’s Committee to Study National Cryptographic Policy, whose main recommendations have since been implemented. His current project focuses on reducing the unacceptable level of risk inherent in nuclear deterrence. Prof. Hellman’s many awards include the ACM Turing Award in 2015, election to the National Academy of Engineering, induction as an inaugural member of the Cyber Security Hall of Fame, EFF’s Pioneer Award, and three “outstanding professor” awards from minority student organizations.

Harri_150Harri Hursti is one of the world’s leading experts on voting systems and is known for his demonstration of the vulnerability of America’s voting systems in the HBO documentary, “Hacking Democracy”. He has been one of the lead technical resources in the major independent technical reviews of America’s voting systems: Ohio’s Sec. of State-ordered EVEREST Study and the New Jersey’s Superior Court judge-ordered review of the Sequoia voting machines. Harri is the 2009 recipient of the Electronic Frontier Foundation’s Pioneer Award for his role in demonstrating the vulnerability of America’s electronic voting machines.

Candice Hoke specializes in the governance of election technologies.  Currently she is a law professor and Co-Director of the Center for Cybersecurity & Privacy Protection.  Holding a Yale