Election Security and Accuracy
This section is an overview of the security features of election systems and the security procedures used by San Mateo County Elections designed to make ensure the integrity of the vote and the conduct of secure and accurate elections.
Voter Registration System
San Mateo County uses an Election Information Management System from DFM Associates, Inc. called EIMS. This system stores all the voter data and voter participation history in addition to other items. Below are some of the systems and protocols in place to protect the County’s Voter Registration System.
In June 2018, San Mateo County moved to a new All-Mailed Ballot/Vote Center election model. Vote Centers replaced polling places, requiring real time connections to EIMS. The Elections Division ensures that the connections from Vote Centers to the County Network are secure, restricted and stable.
Each Vote Center has designated laptops that login to a Virtual Private Network (VPN) via a username and password. The VPNs will create private, encrypted connections from the Vote Center to the County network. After the VPN connection is created, a user must login to the County network using a unique username and password. All laptop data/drives will be fully encrypted, and each laptop will be trackable via hardware and software when connected to the internet. These features permit the County to locate and disable any lost or stolen laptops.
Once connected, three of the laptops at each Vote Center will only have access to EIMS and a fourth laptop will only be able to access the Secretary of State’s (SOS) website for online voter registration. Other websites and email will be blocked.
Vote Centers will not have access to the full EIMS application. The users will be limited in what they can access and change. Users will not be able to download the entire voter registration database.
All unused ports and connections on the laptops and other devices will be sealed and/or blocked from use. Laptops will be sealed with tamper-evident seals when not in use and stored in a secure location when not in use.
EIMS is connected to the Secretary of State voter registration database called VoteCal, via a secure point-to-point T1 connection. VoteCal links all the voter registrations databases in the 58 California counties. Voter registration data is sent back and forth between VoteCal and EIMS to update voter status. The County has a security appliance between the County and the SOS that limits what the State connection can do inside the County network. This security appliance also limits who can exit through the T1 line and access the VoteCal data. Only authorized Election staff at Tower Road can access VoteCal.
The county EMS is connected to the VoteCal portal using the router and communication line that is secured by the SOS software. The portal currently connects each county to VoteCal for the exchange of VoteCal batch files by utilizing defined security roles. The EMS vendors work with each county to establish the connection between the EMS and VoteCal for checking voter status statewide.
Many safeguards are in place to protect VoteCal from unauthorized access, intrusion, manipulation, or corruption.
First, VoteCal adheres to industry standard security controls established by the National Institute of Standards and Technology (NIST 800-53r4) and the International Organization for Standardization (ISO 27001).
Second, VoteCal has utilized industry standard best practices to implement recommendations from the Department of Homeland Security (ST16-001) for “Securing Voter Registration Data.” These recommendations, which were distributed by the National Association of Secretaries of State Elections Committee, are designed to prevent malicious actors from using a variety of means to interfere with voter registration websites and databases.
Third, VoteCal’s database resides on servers located on a secure internal network. VoteCal’s data does not reside in a cloud, such as Amazon Web Services, but rather resides locally. Only specific authorized staff from specific machines can access the database. Network safeguards and server hardening/security enhancement techniques have been employed to protect the system from outside intrusion.
Fourth, the SOS conducts routine vulnerability scans and security audits to proactively identify and address security vulnerabilities. In addition, the SOS routinely applies the latest software security patches to ensure that VoteCal remains protected against emerging security threats. The SOS also deploys malware/anti-virus software on infrastructure and end-point devices.
Finally, VoteCal’s data is encrypted at rest and in transit. No access exists between the VoteCal public website servers, used for the public website, and the VoteCal database servers, where voter data resides.
Voters can verify 24 hours a day, 7 days a week that they are correctly registered via the Voter Lookup tool on the Division’s website. The Voter Lookup tool uses Hyper Text Transfer Protocol Secure (HTTPS) which means that all data sent and received is encrypted.
The data for this voter lookup is an extract from the voter registration database servers. The lookup does not have access to live data and the extract only pulls data that is necessary to run the voter lookup.
Voter data may be provided to a candidate for office, a ballot measure committee or to persons or groups for elections, scholarly, journalistic, political or governmental purposes as determined by the SOS. All other requests for voter data are denied.
Ballot Marking Devices
While no voting system is perfect and each has its advantages and disadvantages, the current certified voting systems in California are paper-based, which are secure and accurate, allowing a verifiable audit trail of the votes cast. San Mateo County is implementing a new voting system in November 2019, which has the following functionality:
- It is impossible to “overvote” (vote for more candidates that can be elected).
- Voters can immediately correct their ballot choices if they make a mistake.
- It is impossible to incorrectly mark the ballot, eliminating ambiguity regarding voter intent.
- Voters are alerted to un-voted or under-voted races on the summary screen.
- Voters must view a summary screen of all of their ballot choices before printing their ballot – giving voters an opportunity to review and change their choices, if necessary.
- Once a voter prints their ballot, the voter is given one last opportunity to review and change their ballot choices before they cast their paper ballot into a designated ballot box.
- Printed paper ballots provide an auditable record, ensuring an election is conducted accurately and securely.
It is also important to remember that voting equipment is only one component of an overall election system that includes citizen involvement, transparency, external security measures, management policies and procedures, and professional election officials. All of these people, procedures, and technologies work together to ensure reliable and trustworthy election results.
The San Mateo County Elections Office is committed to fair, accurate, and secure elections, and is going beyond state and federal requirements for voting system security. As part of the Assessor-County Clerk-Recorder & Elections (ACRE) department, the Elections Division clearly recognizes that cyber attacks are a way of life in this digital era, and that it is necessary to constantly continue hardening our cybersecurity policy and tools. To achieve these goals, ACRE works with cyber security vendors and the Secretary of State’s VoteSure program. Additionally, ACRE staff and County Information Services Department (ISD) staff continuously work with the Department of Homeland Security MS-ISAC and EI-ISAC to understand the latest security threats and how to protect against them. ACRE’s vendor who manages our website also receives EI-ISAC notifications, notifications from the Drupal open source consortium related to security issues and do utilize two-factor authentication. While we recognize that security is always being scrutinized by the outside world, it only reinforces our commitment to staying as current with cybersecurity defense tools and techniques as possible.
Security within the Dominion ImageCast X (ICX) Voting System
Equipment safeguards against unauthorized access
The ICX system (Ballot Marking Tablet) includes both physical and electronic intrusion detection controls, such as numbered wire seals (commonly used in elections), and time-stamped transaction logs that record every system action related to the voting process. Data cannot be inserted or altered by unauthorized personnel because the database structure is proprietary and is protected by encrypted passwords determined by the Elections Administrator.
Equipment safeguards against external access
The ICX voting system is activated by the voter using a one-time issued voter smart card provided by an election official at a Vote Center. This eliminates the possibility of hackers or others being able to gain access to the system in order to tamper with or subvert the election. In addition, the voting devices and tabulation computers are NEVER connected to an external network (including the Internet), so there is no opportunity for someone to access the system remotely and alter computer code or election results. The only devices connected to an ICX are a certified printer and an Audio Tactile Interface (ATI). An ATI is an accessible devices that allows a voter with disability to use the ICX ballot marking device.
Clear Audit Trail
Each ICX ballot marking device prints a physical paper ballot that reflects a voter’s marked choices. Each ICX paper ballot is printed with an AuditMark, or a visual audit trail, allowing a voter to verify how the ballot marking device interpreted the voter’s marked choices. All audit reports, audit trail documents, databases, and election reports can be archived in hard copy and/or saved electronically to CD-ROM to preserve information as required by the Election Code.
Equipment Designed for Secure Operation
Each individual ICX ballot marking device and printer are self contained voting systems, independent of, and not networked to, other devices. This allows for greater security and flexibility at Vote Centers in the event an ICX device malfunctions; it will not affect the other ICX devices. This decentralized system is a significant advantage over locally networked electronic voting devices that have a single point of failure.
The ICX voting system has 2-hours of battery backup to protect against power failures and voting interruption or stoppage. No voter or ballot information is stored on any of the ICX ballot marking devices. The ICX sole purpose is to produce a paper ballot that is used to cast a voter’s vote.
Integrated Diagnostics and Internal Control
The ICX voting system uses error-checking techniques to ensure the accuracy of reading and writing digital data. Repetitive data integrity checks ensure that only authorized devices (printer and ATI) are properly connected.
The ICX voting system incorporates a durable and affordable commercial off-the-shelf tablet that has a capacitive touchscreen, which is commonly found in today’s tablets and smartphones. Voters will find the system intuitive and easy to use.
Voting Systems Certification and Independent Testing
Federal Certification Testing
Voting system certification standards employed in California are among the most stringent in the nation. Every voting system certified for use in California, including the Dominion voting system, must comply with the Federal Voting System Standards promulgated by the Federal Election Commission. An Independent Testing Authority (ITA) selected and approved by the National Association of State Election Directors (NASED) rigorously tests each voting system’s hardware, firmware, and software for compliance with the Federal Voting System Standards. Voting systems certified by the ITA are issued a NASED Qualified identification number to show that they meet or exceed the Federal Voting System Standards.
State Certification Testing
In addition, California Election law requires the Secretary of State to certify all voting systems used in the state. Before the California examination of a voting system, the system must be tested by a Nationally Recognized Test Laboratory (NRTL) and shall meet or exceed the minimum requirements set forth in the Performance and Test Standards for Punch Card, Mark Sense, and Direct Recording Electronic Voting Systems, or in any successor voluntary standard document developed and promulgated by the Federal Election Commission. Voting systems vendors must submit each hardware, firmware, and/or software update to the ITA and the Secretary of State for testing in order to maintain their voting system’s certification.
Voting System Transparency
Logic and Accuracy Testing
The accuracy of the ICX voting devices is tested by “Logic and Accuracy” testing before and after each election as required by the Election Code to make certain that the voting system is working properly. Votes from a hand-tallied spreadsheet are entered on the ballot marking tablets. Printed totals from the voting system are then compared to the hand-counted results. Additional functional tests are performed manually on each voting device. The schedule of Logic and Accuracy testing and functional testing is posted in advance of each election, and these testing sessions are open to the public.
In addition, the ICX voting system prints a “zero report” when the machines are opened and powered-up at the Vote Center to document that there are no prior votes stored within the system.
Hash Testing/Version Control Testing
Before each election, version control testing will be conducted to make sure that each component of the voting system is using a certified version of the vendor’s software and firmware.
Other Security Measures and Procedures
Ensuring voters have access to accurate information is a key component of election integrity. VoteSure is the California Secretary of State’s initiative to provide voters with official, nonpartisan information about elections, and a portal to report false or misleading information.
Security at the San Mateo County Elections Office
An upgrade of security features has been completed within the Elections Office including a key-card entry system to control access to areas of the office where ballot coding computers and election tabulation computers are located and the addition of security cameras throughout the building.
Established procedures such as “chain of custody” on all equipment via logs, signature sheets and an inventory control and tracking system utilizing bar codes technology establishes tight controls of voting equipment and machines. Paper ballots and vote tally electronic storage components cannot be handled by any one single elections employee or Election Officer at any time.
Security at Vote Centers
Voting devices will be delivered to the Vote Centers before the voting period begins. They will be kept in a secure location at each Vote Center. Each ballot issuing device will be stored inside a secure case and sealed with a numbered-wire seal. The presiding election Inspector will be required to verify that the correct seals are intact on the voting devices before they may be opened and used in the election. Vote Center staff also verify that all counts are zero before the opening of the polls.
Other Management and Operation Procedures
Internal management and operational procedures are crucial to the success and reliability of any voting system, including our previous optical scan system. The following procedures will be carried forward or instituted:
- An audit of the electronic tally of the number of votes cast will be conducted against the number of signatures on VBM ballots in the election.
- Vote Center Representatives are required to certify in writing that the proper locks and seals were found to be intact on the voting equipment before the polls open.
- Vote Center Representatives will be required to verify the voting system has no votes that have been pre-loaded into the system.
- A physical inventory of all voting devices will be conducted before and after each election to ensure custody of all voting devices is maintained.
- All procedures will be in writing. All election judges, early voting workers, county Election staff, and central counting workers will undergo extensive training in both voting equipment operation and election law/procedures.