Election Security and Accuracy
This section is an overview of the security features of election systems and the security procedures used by San Mateo County Elections designed to make ensure the integrity of the vote and the conduct of secure and accurate elections.
Voter Registration System
San Mateo County uses an Election Information Management System from DFM Associates, Inc. called EIMS. This system stores all the voter data and voter participation history in addition to other items. Below are some of the systems and protocols in place to protect the County’s Voter Registration System.
In June 2018, San Mateo County moved to a new All-Mailed Ballot/Vote Center election model. Vote Centers replaced polling places, requiring real time connections to EIMS. The Elections Division ensures that the connections from Vote Centers to the County Network are secure, restricted and stable.
Each Vote Center has designated laptops that login to a Virtual Private Network (VPN) via a username and password. The VPNs will create private, encrypted connections from the Vote Center to the County network. After the VPN connection is created, a user must login to the County network using a unique username and password. All laptop data/drives will be fully encrypted, and each laptop will be trackable via hardware and software when connected to the internet. These features permit the County to locate and disable any lost or stolen laptops.
Once connected, three of the laptops at each Vote Center will only have access to EIMS and a fourth laptop will only be able to access the Secretary of State’s (SOS) website for online voter registration. Other websites and email will be blocked.
Vote Centers will not have access to the full EIMS application. The users will be limited in what they can access and change. Users will not be able to download the entire voter registration database.
All unused port and connections on the laptops and other devices will be sealed and/or blocked from use. Laptops will be sealed with tamper-evident seals when not in use and stored in a secure location when not in use.
EIMS is connected to the Secretary of State voter registration database called VoteCal, via a secure point-to-point T1 connection. VoteCal links all the voter registrations databases in the 58 California counties. Voter registration data is sent back and forth between VoteCal and EIMS to update voter status. The County has a security appliance between the County and the SOS that limits what the State connection can do inside the County network. This security appliance also limits who can exit through the T1 line and access the VoteCal data. Only authorized Election staff at Tower Road can access VoteCal.
The county EMS is connected to the VoteCal portal using the router and communication line that is secured by the SOS software. The portal currently connects each county to VoteCal for the exchange of VoteCal batch files by utilizing defined security roles. The EMS vendors work with each county to establish the connection between the EMS and VoteCal for checking voter status statewide.
Many safeguards are in place to protect VoteCal from unauthorized access, intrusion, manipulation, or corruption.
First, VoteCal adheres to industry standard security controls established by the National Institute of Standards and Technology (NIST 800-53r4) and the International Organization for Standardization (ISO 27001).
Second, VoteCal has utilized industry standard best practices to implement recommendations from the Department of Homeland Security (ST16-001) for “Securing Voter Registration Data.” These recommendations, which were distributed by the National Association of Secretaries of State Elections Committee, are designed to prevent malicious actors from using a variety of means to interfere with voter registration websites and databases.
Third, VoteCal’s database resides on servers located on a secure internal network. VoteCal’s data does not reside in a cloud, such as Amazon Web Services, but rather resides locally. Only specific authorized staff from specific machines can access the database. Network safeguards and server hardening/security enhancement techniques have been employed to protect the system from outside intrusion.
Fourth, the SOS conducts routine vulnerability scans and security audits to proactively identify and address security vulnerabilities. In addition, the SOS routinely applies the latest software security patches to ensure that VoteCal remains protected against emerging security threats. The SOS also deploys malware/anti-virus software on infrastructure and end-point devices.
Finally, VoteCal’s data is encrypted at rest and in transit. No access exists between the VoteCal public website servers, used for the public website, and the VoteCal database servers, where voter data resides.
Voters can verify 24 hours a day, 7 days a week that they are correctly registered via the Voter Lookup tool on the Division’s website. The Voter Lookup tool uses Hyper Text Transfer Protocol Secure (HTTPS) which means that all data sent and received is encrypted.
The data for this voter lookup is an extract from the voter registration database servers. The lookup does not have access to live data and the extract only pulls data that is necessary to run the voter lookup.
Voter data may be provided to a candidate for office, a ballot measure committee or to persons or groups for elections, scholarly, journalistic, political or governmental purposes as determined by the SOS. All other requests for voter data are denied.
Electronic Voting System
While no voting system is perfect and each has its advantages and disadvantages, studies show that electronic voting systems offer an accurate and secure method of voting:
- It is impossible to “overvote” (vote for more candidates that can be elected).
- Voters can immediately correct their ballot choices if they make a mistake.
- Voters must view a summary screen of all of their ballot choices before casting ballot – giving voters an opportunity to review and change their choices before the vote is cast.
- Voters are alerted to un-voted or under-voted races on the summary screen.
- It is impossible to incorrectly mark the ballot, eliminating ambiguity regarding voter intent.
- Electronic voting systems have been shown to eliminate racial and language-related errors found in paper-based voting systems (including optical scan).
- Votes are redundantly stored in multiple physical memory locations and the printed paper record to preserve election results in the event of equipment failure.
It is also important to remember that voting equipment is only one component of an overall election system that includes citizen involvement, transparency, external security measures, management policies and procedures, and professional election officials. All of these people, procedures, and technologies work together to ensure reliable and trustworthy election results.
The San Mateo County Elections Office is committed to accurate and secure elections and is going beyond state and federal requirements for electronic voting system security. The Elections Office has appointed a Chief Security Officer, is working with both a private security consulting firm and election officials to develop the “gold standard” of electronic voting system security. In addition, the Elections Office is developing procedures based on the recommendations from two prominent reports on election system security, the Brennan Center Task Force on Voting System Security report and the U.S. Government Accountability Office Report on the Security of Electronic Voting Systems.
The History of Electronic Voting
Electronic voting systems have been used in jurisdictions throughout the United States since the 1970’s. Approximately 30% of the votes nationwide in the 2004 Presidential election were cast using electronic voting devices. According to the American Association of People with Disabilities, “In almost four decades, not a single case of election fraud due to tampering of a system’s hardware or software has occurred. Comparably, in the last 40 years, hundreds of cases of election fraud involving paper have occurred and been successfully prosecuted.” Electronic voting machines are very reliable and have multiple redundant features to capture and store votes accurately.
Security within the eSlate Voting System
Equipment safeguards against unauthorized access
The eSlate system includes both physical and electronic intrusion detection controls, such as numbered wire seals (commonly used in elections), and time-stamped transaction logs that record every system action related to the voting process. Data cannot be inserted or altered by unauthorized personnel because the database structure is proprietary and is protected by encrypted passwords determined by the Elections Administrator.
Equipment safeguards against external access
The eSlate voting system is activated by the voter using a randomly generated four-digit code; there are no smart cards or other programmable devices that require an external access point into the voting hardware. This eliminates the possibility of hackers or others being able to gain access to the system in order to tamper with or subvert the election. In addition, the voting devices and tabulation computers are NEVER connected to an external network (including the Internet), so there is no opportunity for someone to access the system remotely and alter computer code or election results.
Clear Audit Trail
Each component of the eSlate voting system creates an audit record every time it is accessed or information is changed. All audit records can be extracted and printed in hard copy. All audit reports, audit trail documents, databases, and election reports can be archived in hard copy and/or saved electronically to CD-ROM to preserve information as required by the Election Code.
No Reprogramming for Each Election
Unlike optical scan voting systems, the eSlate voting system is not reprogrammed with new code for each election; only the election data changes. This eliminates a major source of potential error or manipulation. In addition, the eSlate system allows Elections Office staff (rather than the vendor) to prepare and implement the data entry of party names, candidate names, propositions, precincts, districts, etc. necessary for setting up each election.
Equipment Designed for Secure Operation
The components of the eSlate voting system are networked together at the polling place, allowing the system to store all information (election coding and individual vote records) in three physically separate locations. This provides backup and redundant data storage in the event that any one of the components malfunctions. This is a significant advantage over stand-alone electronic voting devices that have a single point of failure. (As a clarification, although the devices are networked together at the polling place, the system is NOT connected to an outside network, including the Internet.)
Automatic creation of vote records in multiple memory locations throughout the course of Election Day eliminates the need to physically collect votes from each voting device upon poll closing. This eliminates a potential source of error.
The eSlate voting system has 18-hours of battery backup to protect against power failures and lost data. All information storage devices are solid-state, and thus are not susceptible to magnetic fields, abusive handling, or loss of power.
Integrated Diagnostics and Internal Control
The eSlate voting system uses error-checking techniques to ensure the accuracy of reading and writing digital data. Repetitive data integrity checks ensure that only authorized devices are communicating on the local network at the polling place, and that the data being communicated originates from a source that has complete integrity with the election database created for the current election. The eSlate voting system also incorporates continuous checking of each data transfer to ensure that the data received at the end of the transfer is the same as the data originated by the source.
The eSlate voting system incorporates a tough polycarbonate display cover that is nearly indestructible. This makes the eSlate voting device better able to withstand vandalism attempts or other potential damage due to accidents than touch screen voting devices.
eSlate voting devices meet the stringent testing requirements of MIL-STD (U.S. Military Standard) 810 for environmental ruggedness, including humidity, vibration, and drop height. These devices are tested in temperature extremes through hot-cold chamber testing, salt fog testing, and water-resistance testing.
Voting Systems Certification and Independent Testing
Federal Certification Testing
Voting system certification standards employed in California are among the most stringent in the nation. Every voting system certified for use in California, including the Hart InterCivic eSlate voting system, must comply with the Federal Voting System Standards promulgated by the Federal Election Commission. An Independent Testing Authority (ITA) selected and approved by the National Association of State Election Directors (NASED) rigorously tests each voting system’s hardware, firmware, and software for compliance with the Federal Voting System Standards. Voting systems certified by the ITA are issued a NASED Qualified identification number to show that they meet or exceed the Federal Voting System Standards.
State Certification Testing
In addition, California Election law requires the Secretary of State to certify all voting systems used in the state. Before the California examination of a voting system, the system must be tested by a Nationally Recognized Test Laboratory (NRTL) and shall meet or exceed the minimum requirements set forth in the Performance and Test Standards for Punch Card, Mark Sense, and Direct Recording Electronic Voting Systems, or in any successor voluntary standard document developed and promulgated by the Federal Election Commission. Voting systems vendors must submit each hardware, firmware, and/or software update to the ITA and the Secretary of State for testing in order to maintain their voting system’s certification.
Voting System Transparency
Logic and Accuracy Testing
The accuracy of electronic voting devices is tested by “Logic and Accuracy” testing before and after each election as required by the Election Code to make certain that the voting system is working properly. Votes from a hand-tallied spreadsheet are entered into the electronic voting devices. Printed totals from the electronic system are then compared to the hand-counted results. Additional functional tests are performed manually on each voting device. The schedule of Logic and Accuracy testing and functional testing is posted in advance of each election, and these testing sessions are open to the public.
In addition, the eSlate voting system prints a “zero report” when the machines are opened and powered-up at the polling place to document that there are no prior votes stored within the system.
Hash Testing/Version Control Testing
Before each election, version control testing will be conducted to make sure that each component of the electronic voting system is using a certified version of the vendor’s software and firmware.
Parallel Testing of Voting Equipment
The California Secretary of State’s Office requires parallel testing of the eSlates on Election Day. The parallel testing procedure includes the random selection of eSlate voting machines the morning of the election from various precincts within the county. Once selected, the eSlate units are thoroughly tested for accuracy and reliability by designated California Secretary of State election personnel. The accuracy testing runs the entire duration of the election. Election result reports are then generated from each eSlate unit once the election concludes so the accuracy of the system can be validated.
Other Security Measures and Procedures
Security at the San Mateo County Elections Office
An upgrade of security features has been completed within the Elections Office including a key-card entry system to control access to areas of the office where ballot coding computers and election tabulation computers are located and the addition of security cameras throughout the building.
Established procedures such as “chain of custody” on all equipment via logs, signature sheets and an inventory control and tracking system utilizing bar codes and RFID (radio frequency identification) technology establishes tight controls of voting equipment and machines. Paper ballots and vote tally electronic storage components cannot be handled by any one single elections employee or Election Officer at any time.
Security at Vote Centers
Voting devices will be delivered to the polling places before Election Day. They will be kept in a secure location at each Vote Center and stored inside a locked cart or chained together to prevent access or theft. Each voting unit will be stored inside a secure case and sealed with a numbered-wire seal. The presiding election Inspector will be required to verify that the correct seals are intact on the voting devices before they may be opened and used in the election.
The presiding election Inspector will pick up the Judge’s Booth Controller component of the eSlate voting system from the Elections Department before Election Day and will maintain custody of the unit until after the polls close on Election Day. A memory card is stored in the unit in a closed compartment sealed with a numbered wire seal and is not to be accessed by the election judge or polling place staff. When the unit is returned to the central counting station after the polls close, Elections staff will verify that this seal has remained intact while in the custody of the presiding election Inspector and while in use on Election Day.
The separation of equipment prior to the opening of the polls ensures that the individual voting devices may not be “pre-voted” (they cannot be used until activated with the precinct control device in the custody of the election judge). Conversely, the Judge’s Booth Controller cannot be used to “pre-vote” without an attached voting device (which have been delivered to the polling place and are not accessible by the election Inspector until Election Day).
Other Management and Operation Procedures
Internal management and operational procedures are crucial to the success and reliability of any voting system, including our previous optical scan system. The following procedures will be carried forward or instituted:
- An audit of each precinct’s electronic tally of the number of votes cast will be conducted against the number of signatures in the precinct’s poll book roster.
- Polling place officials will be required to certify in writing that the proper locks and seals were found to be intact on the voting equipment before the polls open.
- Polling place officials will be required to print and keep a “zero tape” from the voting system to ensure that no votes have been pre-loaded into the system.
- A physical inventory of all voting devices will be conducted before and after each election to ensure custody of all voting devices is maintained.
- All procedures will be in writing. All election judges, early voting workers, county Election staff, and central counting workers will undergo extensive training in both voting equipment operation and election law/procedures.