Security and Accuracy
This section is an overview of the security features of the eSlates and the security procedures used by San Mateo County Elections designed to make ensure the integrity of the vote and the conduct of secure and accurate elections.
While no voting system is perfect and each has its advantages and disadvantages, studies show that electronic voting systems offer an accurate and secure method of voting:
- It is impossible to “overvote” (vote for more candidates that can be elected).
- Voters can immediately correct their ballot choices if they make a mistake.
- Voters must view a summary screen of all of their ballot choices before casting ballot – giving voters an opportunity to review and change their choices before the vote is cast.
- Voters are alerted to un-voted or under-voted races on the summary screen.
- It is impossible to incorrectly mark the ballot, eliminating ambiguity regarding voter intent.
- Electronic voting systems have been shown to eliminate racial and language-related errors found in paper-based voting systems (including optical scan).
- Votes are redundantly stored in multiple physical memory locations and the printed paper record to preserve election results in the event of equipment failure.
It is also important to remember that voting equipment is only one component of an overall election system that includes citizen involvement, transparency, external security measures, management policies and procedures, and professional election officials. All of these people, procedures, and technologies work together to ensure reliable and trustworthy election results.
The San Mateo County Elections Office is committed to accurate and secure elections and is going beyond state and federal requirements for electronic voting system security. The Elections Office has appointed a Chief Security Officer, is working with both a private security consulting firm and election officials to develop the "gold standard" of electronic voting system security. In addition, the Elections Office is developing procedures based on the recommendations from two prominent reports on election system security, the Brennan Center Task Force on Voting System Security report and the U.S. Government Accountability Office Report on the Security of Electronic Voting Systems.
The History of Electronic Voting
Electronic voting systems have been used in jurisdictions throughout the United States since the 1970’s. Approximately 30% of the votes nationwide in the 2004 Presidential election were cast using electronic voting devices. According to the American Association of People with Disabilities, “In almost four decades, not a single case of election fraud due to tampering of a system’s hardware or software has occurred. Comparably, in the last 40 years, hundreds of cases of election fraud involving paper have occurred and been successfully prosecuted.” Electronic voting machines are very reliable and have multiple redundant features to capture and store votes accurately.
Security within the eSlate Voting System
Equipment safegaurds against unauthorized access
The eSlate system includes both physical and electronic intrusion detection controls, such as numbered wire seals (commonly used in elections), and time-stamped transaction logs that record every system action related to the voting process. Data cannot be inserted or altered by unauthorized personnel because the database structure is proprietary and is protected by encrypted passwords determined by the Elections Administrator.
Equipment safeguards against external access
The eSlate voting system is activated by the voter using a randomly generated four-digit code; there are no smart cards or other programmable devices that require an external access point into the voting hardware. This eliminates the possibility of hackers or others being able to gain access to the system in order to tamper with or subvert the election. In addition, the voting devices and tabulation computers are NEVER connected to an external network (including the Internet), so there is no opportunity for someone to access the system remotely and alter computer code or election results.
Clear Audit Trail
Each component of the eSlate voting system creates an audit record every time it is accessed or information is changed. All audit records can be extracted and printed in hard copy. All audit reports, audit trail documents, databases, and election reports can be archived in hard copy and/or saved electronically to CD-ROM to preserve information as required by the Election Code.
No Reprogramming for Each Election
Unlike optical scan voting systems, the eSlate voting system is not reprogrammed with new code for each election; only the election data changes. This eliminates a major source of potential error or manipulation. In addition, the eSlate system allows Elections Office staff (rather than the vendor) to prepare and implement the data entry of party names, candidate names, propositions, precincts, districts, etc. necessary for setting up each election.
Equipment Designed for Secure Operation
The components of the eSlate voting system are networked together at the polling place, allowing the system to store all information (election coding and individual vote records) in three physically separate locations. This provides back-up and redundant data storage in the event that any one of the components malfunctions. This is a significant advantage over stand-alone electronic voting devices that have a single point of failure. (As a clarification, although the devices are networked together at the polling place, the system is NOT connected to an outside network, including the Internet.)
Automatic creation of vote records in multiple memory locations throughout the course of Election Day eliminates the need to physically collect votes from each voting device upon poll closing. This eliminates a potential source of error.
The eSlate voting system has 18-hours of battery backup to protect against power failures and lost data. All information storage devices are solid-state, and thus are not susceptible to magnetic fields, abusive handling, or loss of power.
Integrated Diagnostics and Internal Control
The eSlate voting system uses error-checking techniques to ensure the accuracy of reading and writing digital data. Repetitive data integrity checks ensure that only authorized devices are communicating on the local network at the polling place, and that the data being communicated originates from a source that has complete integrity with the election database created for the current election. The eSlate voting system also incorporates continuous checking of each data transfer to ensure that the data received at the end of the transfer is the same as the data originated by the source.
The eSlate voting system incorporates a tough polycarbonate display cover that is nearly indestructible. This makes the eSlate voting device better able to withstand vandalism attempts or other potential damage due to accidents than touch screen voting devices.
eSlate voting devices meet the stringent testing requirements of MIL-STD (U.S. Military Standard) 810 for environmental ruggedness, including humidity, vibration, and drop height. These devices are tested in temperature extremes through hot-cold chamber testing, salt fog testing, and water-resistance testing.
Voting Systems Certification and Independent Testing
Federal Certification Testing
Voting system certification standards employed in California are among the most stringent in the nation. Every voting system certified for use in California, including the Hart InterCivic eSlate voting system, must comply with the Federal Voting System Standards promulgated by the Federal Election Commission. An Independent Testing Authority (ITA) selected and approved by the National Association of State Election Directors (NASED) rigorously tests each voting system’s hardware, firmware, and software for compliance with the Federal Voting System Standards. Voting systems certified by the ITA are issued a NASED Qualified identification number to show that they meet or exceed the Federal Voting System Standards.
State Certification Testing
In addition, California Election law requires the Secretary of State to certify all voting systems used in the state. Before the California examination of a voting system, the system must be tested by a Nationally Recognized Test Laboratory (NRTL) and shall meet or exceed the minimum requirements set forth in the Performance and Test Standards for Punch Card, Mark Sense, and Direct Recording Electronic Voting Systems, or in any successor voluntary standard document developed and promulgated by the Federal Election Commission. Voting systems vendors must submit each hardware, firmware, and/or software update to the ITA and the Secretary of State for testing in order to maintain their voting system’s certification.
Voting System Transparency
Logic and Accuracy Testing
The accuracy of electronic voting devices are tested by “Logic and Accuracy” testing before and after each election as required by the Election Code to make certain that the voting system is working properly. Votes from a hand-tallied spreadsheet are entered into the electronic voting devices. Printed totals from the electronic system are then compared to the hand-counted results. Additional functional tests are performed manually on each voting device. The schedule of Logic and Accuracy testing and functional testing is posted in advance of each election, and these testing sessions are open to the public.
In addition, the eSlate voting system prints a “zero report” when the machines are opened and powered-up at the polling place to document that there are no prior votes stored within the system.
Hash Testing/Version Control Testing
Before each election, version control testing will be conducted to make sure that each component of the electronic voting system is using a certified version of the vendor’s software and firmware.
Parallel Testing of Voting Equipment
The California Secretary of State's Office requires parallel testing of the eSlates on Election Day. The parallel testing procedure includes the random selection of eSlate voting machines the morning of the election from various precincts within the county. Once selected, the eSlate units are thoroughly tested for accuracy and reliability by designated California Secretary of State election personnel. The accuracy testing runs the entire duration of the election. Election result reports are then generated from each eSlate unit once the election concludes so the accuracy of the system can be validated.
Other Security Measures and Procedures
Security at the San Mateo County Elections Office
An upgrade of security features has been completed within the Elections Office including a key-card entry system to control access to areas of the office where ballot coding computers and election tabulation computers are located and the addition of security cameras throughout the building.
Established procedures such as "chain of custody" on all equipement via logs, signature sheets and an inventory control and tracking system utilizing bar codes and RFID (radio frequency identification) technology establishes tight controls of voting equipment and machines. Paper ballots and vote tally electronic storage components cannot be handled by any one single elections employee or Election Officer at anytime.
Security at the Polling Place
Voting devices will be delivered to the polling places before Election Day. They will be kept in a secure location at each polling place, and stored inside a locked cart or chained together to prevent access or theft. Each voting unit will be stored inside a secure case and sealed with a numbered-wire seal. The presiding election Inspector will be required to verify that the correct seals are intact on the voting devices before they may be opened and used in the election.
The presiding election Inspector will pick up the Judge's Booth Controller component of the eSlate voting system from the Elections Department before Election Day and will maintain custody of the unit until after the polls close on Election Day. A memory card is stored inside the unit in a closed compartment sealed with a numbered wire seal and is not to be accessed by the election judge or polling place staff. When the unit is returned to the central counting station after the polls close, Elections staff will verify that this seal has remained intact while in the custody of the presiding election Inspector and while in use on Election Day.
The separation of equipment prior to the opening of the polls ensures that the individual voting devices may not be “pre-voted” (they cannot be used until activated with the precinct control device in the custody of the election judge). Conversely, the Judge's Booth Controller cannot be used to “pre-vote” without an attached voting device (which have been delivered to the polling place and are not accessible by the election Inspector until Election Day).
Other Management and Operation Procedures
Internal management and operational procedures are crucial to the success and reliability of any voting system, including our previous optical scan system. The following procedures will be carried forward or instituted:
- An audit of each precinct’s electronic tally of the number of votes cast will be conducted against the number of signatures in the precinct’s poll book roster.
- Polling place officials will be required to certify in writing that the proper locks and seals were found to be intact on the voting equipment before the polls open.
- Polling place officials will be required to print and keep a “zero tape” from the voting system to ensure that no votes have been pre-loaded into the system.
- A physical inventory of all voting devices will be conducted before and after each election to ensure custody of all voting devices is maintained.
- All procedures will be in writing. All election judges, early voting workers, county Election staff, and central counting workers will undergo extensive training in both voting equipment operation and election law/procedures.