This section is an overview of the security features of election
systems and the security procedures used by San Mateo County
Elections designed to ensure the integrity and accuracy of the
voting process and results.
The County’s voting technology is comprised of two main
components, voter registration and voting tabulation. These two
systems are completely separated and secured in multiple ways.
The voting tabulation system is a closed system and does not
connect to the internet.
Voter Registration System
San Mateo County uses an election management system (EMS) from
DFM Associates, Inc. called EIMS. This system stores election
information including voter data and voter participation history.
Below are some of the systems and protocols in place to protect
the County’s voter registration system.
Federal Declaration of Critical
In January 2017, the Department of Homeland Security (DHS)
designated U.S. elections as critical infrastructure. While the
designation does not come with funding and counties are not
required to participate, San Mateo County Information Services
Department (ISD), a department of the Assessor-County
Clerk-Recorder & Elections (ACRE) works with the federal
government. The designation helps to improve communication
between the federal government and state and local officials in
protecting the elections infrastructure.
The voter registration database servers are located inside the
County network behind the County firewall, which is constantly
monitored and patched. The County subscribes to the Department of
Homeland Security’s Cyber Hygiene Service whereby DHS and ACRE
security vendors perform regular vulnerability scans of the
County’s network and the internet.
San Mateo County Elections Department also has in place a
Cybersecurity Defense Team (CSDT) which works closely with San
Mateo County Information Service Department, the Secretary of
State office (SOS), DHS, EI-ISAC, and cybersecurity expert firm.
Together these groups are constantly monitoring cybersecurity
risks and taking appropriate actions to ensure the security of
San Mateo County systems network and elections operations. The
CSDT also provides oversight over cybersecurity incidents and
tracking and coordinates appropriate cybersecurity incident
events with the SOS and EI-ISAC. Additionally, the CSDT
coordinates with the appropriate groups to ensure Multi-Factor
Authentication (MFA) is appropriately implemented.
All users must have a unique username and password to sign in to
the County network. Passwords must be changed every 60 days per
the County security standards. All remote users entering the
County network must use a VPN connection to access the network.
Multi Factor Authentication is utilized by Elections staff who
have the capability to update election website contents or social
At the County, there are multiple security systems to help
protect the internal users from malware and phishing. All
incoming email is scanned and evaluated for malware and phishing.
All internet traffic is monitored and known phishing sites are
blocked. Other types of malicious links may be blocked so that
malware can’t be downloaded inside the County network.
All computers and fileservers connected to the San Mateo County
network must have the most recent version of anti-virus software
that has been tested and approved by ISD, installed, and actively
running on these devices and configured for daily virus
definition file updates. Similarly, all computers and fileservers
must be configured to receive updates and patches. Internal
vulnerability assessments are also conducted. All laptops must be
protected with full disk encryption.
Users can only log in to EIMS if they are connected to the County
network. County logins are used to access EIMS. Users are
assigned roles in EIMS with limited access and rights within the
application required to perform their assigned responsibilities.
. All changes to records are logged and are auditable.
EIMS servers are County owned and located in secured County
buildings. All EIMS applications are run on County servers that
reside in a secured data center. No election data is stored in
the cloud. The EIMS servers’ backups are run on a set timetable
and the backups are replicated to at least one other site. All
servers are running an operating system that is up to date and
have anti-malware software that is updated on a routine basis.
EIMS is connected to the California Secretary of State (SOS)
voter registration database, referred to as VoteCal, via a secure
point-to-point, high-speed connection. VoteCal links all the
voter registrations databases in the 58 California counties.
Voter registration data is transmitted between VoteCal and EIMS
to update voter status. The County employs a security appliance
between the County and the SOS that limits what the State
connection can do inside the County network. This security
appliance also limits who can exit through the line and access
the VoteCal data. Only authorized Elections staff can access
Many safeguards are in place to protect VoteCal from unauthorized
access, intrusion, manipulation, or corruption.
First, VoteCal adheres to industry-standard security controls
established by the National Institute of Standards and Technology
(NIST 800-53r4) and the International Organization for
Standardization (ISO 27001).
Second, VoteCal has utilized industry-standard best practices to
implement recommendations from the Department of Homeland
Security (ST16-001) for “Securing Voter Registration Data.” These
recommendations, which were distributed by the National
Association of Secretaries of State Elections Committee, are
designed to prevent malicious actors from using a variety of
means to interfere with voter registration websites and
Third, VoteCal’s database resides on servers located on a secure
internal network. VoteCal’s data does not reside in a cloud, but
rather resides locally. Only a select few authorized staff have
access to the database. Network safeguards and server
hardening/security enhancement techniques have been employed to
protect the system from external intrusion.
Fourth, the SOS conducts routine vulnerability scans and security
audits to proactively identify and address security
vulnerabilities. In addition, the SOS routinely applies the
latest software security patches to ensure that VoteCal remains
protected against emerging security threats. The SOS also deploys
malware/anti-virus software on infrastructure and end-point
Finally, VoteCal’s data is encrypted at rest and in transit. No
access exists between the VoteCal public website servers, used
for the public website, and the VoteCal database servers, where
voter data resides.
Vote Center Connections
In June 2018, San Mateo County moved to a new All-Mailed
Ballot/Vote Center election model. Vote Centers replaced polling
places. Each Vote Center has between 3-7 epollbooks for check-in
Epollbooks are configured with dual password authentication
required for each user. The epollbook data is encrypted at rest
and in transit, and the epollbooks are monitored remotely from
our central office.
The epollbooks are controlled by mobile device management, and
only authorized applications are installed.All unused ports and
connections on designated IT assets and other devices will be
sealed and/or blocked from use. IT assets will be secured when
not in use and stored in a secure location.
Voters can verify 24 hours a day, 7 days a week that their voter
registration is accurate via the Voter Lookup tool on the San
Mateo County Elections website. The Voter Lookup tool uses
HyperText Transfer Protocol Secure (HTTPS) which means that all
data sent and received is encrypted.
The data for this voter lookup is an extract from the voter
registration database servers. The lookup does not have access to
live data and the extract only pulls data that is necessary to
run the voter lookup.
Voter data may be provided to a candidate running for office, a
ballot measure committee or to persons or groups for elections,
scholarly, journalistic, political or governmental purposes as
determined by the SOS. All other requests for voter data are
Voting Tabulation System
In 2019, San Mateo County began using Dominion’s Democracy Suite
Voting System as its voting tabulation system. It is a
paper-based system, which is secure and accurate and allows a
verifiable audit trail of the votes cast.
It is also important to remember that voting equipment is only
one component of an overall election system that includes citizen
involvement, transparency, external security measures, management
policies and procedures, and professional election officials.
Altogether these measures ensure reliable and trustworthy
The San Mateo County Elections Office is committed to fair,
accurate, and secure elections, and is going beyond state and
federal requirements for voting system security and accuracy. As
part of the ACRE department, the Elections Division clearly
recognizes that cyber attacks are a reality of life in this
digital era, and that it is necessary to constantly continue
hardening our cybersecurity, policy and tools. To achieve these
goals, ACRE works with cybersecurity vendors and the Secretary of
State’s VoteSure program. Additionally, ACRE staff and County
Information Services Department (ISD) staff continuously work
with the DHS, MS-ISAC and EI-ISAC to understand the latest
security threats and how to protect against them as do relevant
vendors. ACRE’s vendor who manages our website also receives
EI-ISAC notifications, notifications from the Drupal open source
consortium related to security issues and employ two-factor
authentication. “We share the public’s concern for election
security and are committed to using state-of-the-art
cybersecurity tools and techniques to achieve this.”
Overview of Dominion System
Voting Systems Certification and Independent Testing
Federal Certification Testing
Voting system certification standards employed in California are
among the most stringent in the nation. Every voting system
certified for use in California, including the Dominion voting
system, must comply with the Federal Voting System Standards
issued by the Federal Election Commission. An Independent Testing
Authority (ITA) selected and approved by the National Association
of State Election Directors (NASED) rigorously tests each voting
system’s hardware, firmware, and software for compliance with the
Federal Voting System Standards. Voting systems certified by the
ITA are issued a NASED Qualified identification number to show
that they meet or exceed the Federal Voting System Standards.
State Certification Testing
In addition, California election law requires the Secretary of
State to certify all voting systems used in the state. Before the
California examination of a voting system, the system must be
tested by a Nationally Recognized Test Laboratory (NRTL) and
shall meet or exceed the minimum requirements set forth in the
‘Performance and Test Standards for Punch Card, Mark Sense, and
Direct Recording Electronic Voting Systems’, or in any successor
voluntary standard document developed and promulgated by the
Federal Election Commission. Voting systems vendors must submit
each hardware, firmware, and/or software update to the ITA and
the Secretary of State for testing to maintain their voting
Security within the Dominion ImageCast X (ICX)
Voting at Vote Centers on ImageCast X
San Mateo County implemented a new voting system in November
2019, which has the following functionality:
It is impossible to “overvote” (vote for more candidates that
can be elected).
Voters can immediately correct their ballot choices if they
make a mistake.
It is impossible to incorrectly mark the ballot, eliminating
ambiguity regarding voter intent.
Voters are alerted to un-voted or under-voted races on the
Voters must view a summary screen of all their ballot choices
before printing their ballot – giving voters an opportunity to
review and change their choices, if necessary.
Once a voter prints their ballot, the voter is given one last
opportunity to review and change their ballot choices before they
cast their paper ballot into a designated ballot box.
Printed paper ballots provide an auditable record, ensuring
an election is conducted accurately and securely.
Equipment safeguards against unauthorized
The ICX system (Ballot Marking Tablet) includes both physical and
electronic intrusion detection controls, such as numbered wire
seals (commonly used in elections), and time-stamped transaction
logs that record every system action related to the voting
process. Data cannot be inserted or altered by unauthorized
personnel because the database structure is proprietary and is
protected by encrypted passwords determined by the Elections
Equipment safeguards against external
The ICX voting system is activated by the voter using a one-time
issued voter smart card provided by an election official at a
Vote Center. This eliminates the possibility of hackers or others
being able to gain access to the system attempting to tamper with
or subvert the election. In addition, the voting devices and
tabulation computers are never connected to an external network
(including the internet), so there is no opportunity for someone
to access the system remotely and alter computer code or election
results. The only devices connected to an ICX are a certified
printer and an Audio Tactile Interface (ATI). An ATI is an
accessible device that allows a voter with disability to use the
Clear Audit Trail
Each ICX ballot marking device prints a physical paper ballot
that reflects a voter’s marked choices. Each ICX paper ballot is
printed with an AuditMark, or a visual audit trail, allowing a
voter to verify how the ballot marking device interpreted the
voter’s marked choices. All audit reports, audit trail documents,
databases, and election reports can be archived in hard copy
and/or saved electronically to CD-ROM to preserve information as
required by the Election Code.
Equipment Designed for Secure Operation
Each individual ICX ballot marking device and printer are
self-contained voting systems, independent of, and not networked
to, other devices. This allows for greater security and
flexibility at Vote Centers in the event an ICX device
malfunctions; it will not affect the other ICX devices. This
decentralized system is a significant advantage over locally
networked electronic voting devices that have a single point of
The ICX voting system has 2-hours of battery backup to protect
against power failures and voting interruption or stoppage. No
voter or ballot information is stored on any of the ICX ballot
marking devices. The ICX sole purpose is to produce a paper
ballot that is used to cast a voter’s vote.
Integrated Diagnostics and Internal Control
The ICX voting system uses error-checking techniques to ensure
the accuracy of reading and writing digital data. Repetitive data
integrity checks ensure that only authorized devices (printer and
ATI) are properly connected.
The ICX voting system incorporates a durable commercial
off-the-shelf tablet that has a capacitive touchscreen, which is
commonly found in today’s tablets and smartphones. Voters will
find the system intuitive and easy to use.
Voting System Transparency
Logic and Accuracy Testing
The accuracy of the ICX voting devices is tested by “Logic and
Accuracy” testing before and after each election as required by
the Election Code to make certain that the voting system is
working properly. Votes from a hand-tallied spreadsheet are
entered on the ballot marking tablets. Printed totals from the
voting system are then compared to the hand-counted results.
Additional functional tests are performed manually on each voting
device. The schedule of Logic and Accuracy testing and
functionality testing is posted in advance of each election, and
these testing sessions are open to the public.
Hash Testing/Version Control Testing
Before each election, version control testing will be conducted
to make sure that each component of the voting system is using a
certified version of the vendor’s software and firmware.
Post-election audits are an essential step in the canvassing of
an election, as well as a requirement to certify election
results. Currently, most post-election audits in California have
been conducted using the one percent manual tally, which involves
choosing a random sampling of one percent of all precincts from
Vote Centers and one percent of batches of Vote by Mail ballots.
San Mateo County has piloted a Risk-Limiting Audit (RLA), a new
post-election audit procedure meant to even further guarantee the
accuracy of the outcome. RLA’s draw a more dynamic sample of
ballots from the election and provide a greater statistical
certainty that the election results are accurate.
Other Security Measures and Procedures
Ensuring voters have access to accurate information is a key
component of election integrity. VoteSure is the California
Secretary of State’s initiative to provide voters with official,
nonpartisan information about elections, and a portal to report
false or misleading information.
Security at the San Mateo County Elections Office
All voting equipment and databases are located at the Elections
Division building. This building has a security system with
cameras. Access to the voting equipment warehouse, voter
registration database servers, and the Vote by Mail area is
restricted to staff with card keys. The voter registration
servers are located behind locked doors with very limited access.
The card keys create audit trails. In addition, ACRE has
implemented a Disaster Recovery capability at a secured location
in the event of a disaster occurring at the Elections Division
All visitors must sign in at the front counter and are escorted
at all times by a staff member.
Established procedures such as “chain of custody” on all
equipment via logs, signature sheets and an inventory control and
tracking system utilizing bar code technology establishes tight
controls of voting equipment and machines. Paper ballots and vote
tally electronic storage components cannot be handled by any
single Elections employee or Election Officer at any time.
All new staff undergo a background check through the Department
of Justice (DOJ) and Federal Bureau of Investigation (FBI).
There is rigorous staff training to mitigate risks and
cybersecurity breaches. Staff are required to complete an
information security class each year.
Two-person integrity is enforced around voted ballots.
Election staff follow an onboarding procedure for new staff and
assigning roles and security rights. When staff leave,
offboarding procedures terminate computer system and building
Elections personnel ensure a policy-driven email usage policy
that enforces best practices to protect sensitive data and
protect against exposure to common e-mail-based threats such as
malware and malicious links via spear phishing. Both extensive
personnel sensitization and training as well as highly effective
technical measures significantly reduce the threat posed by
email-based attacks and user vulnerabilities.
Identifying and Eliminating Malicious Misinformation
The potential for malicious attempts at misinformation and
disinformation poses a risk to the perception of voting validity
and legitimacy. San Mateo County and SMC ACRE are champions of
freedom of speech and expression; however, it is also charged
with protecting the process against malicious activity seeking to
discredit or disrupt our elections. To protect against this
threat, directed personnel are vigilant in the identification of
malicious activity across official SMC social media outlets in
Public-Facing Website Compromise
Although public-facing, official informational websites are not
tied to the voting process, the information they provide aids in
informing voters and helps to maintain confidence in the overall
integrity of the elections process. In the event of a malicious
attack against an official public-facing SMC website, substantial
procedural and technical measures are in place to identify,
mitigate, and remediate any such incident.
Security at Vote Centers
Voting devices will be delivered to the Vote Centers prior to the
beginning to the voting session. They are kept in a secure
location at each Vote Center. Each ballot-issuing device will be
stored inside a secure case and sealed with a tamper evidence
seal. The presiding Vote Center lead will be required to verify
that the correct seals are intact on the voting devices before
they may be opened and used in the election. Vote Center staff
also verify that all counts are zero before the opening of the
Other Management and Operation
Internal management and operational procedures are crucial to the
success and reliability of any voting system, including our
previous optical scan system. The following procedures will be
carried forward or instituted:
An audit of the electronic tally of the number of votes cast
will be conducted against the number of signatures on VBM ballots
in the election.
Vote Center Representatives are required to certify in
writing that the proper locks and seals were found to be intact
on the voting equipment before the polls open.
Vote Center Representatives will be required to verify the
voting system has no votes that have been pre-loaded into the
A physical inventory of all voting devices will be conducted
before and after each election to ensure custody of all voting
devices is maintained.
All procedures will be in writing. All Vote Center staff,
early voting workers, county Elections staff, and central
counting workers will undergo extensive training in both voting
equipment operation and election law/procedures.
The County of San Mateo has added a translation feature developed by Google Translate to assist web visitors in understanding information on this website in a variety of foreign languages. Please be aware that Google Translate, a free third party service which the County does not control, provides automated computer translations that may not give you an exact translation. The County cannot guarantee the accuracy of translations through Google Translate so translations should not be considered exact and only used as a rough guide. Anyone relying on information obtained from Google Translate does so at his or her own risk. The County disclaims and will not accept any liability for damages or losses of any kind caused by the use of the Google Translate feature.