Security Matters

Hart's Information Security Management System (ISMS) ISO 27001:2005 certification demonstrates our ongoing commitment to information security and embraces internationally-recognized best practices. Hart has been certified to an ISMS standard since April 2004 -- first BS 7799, now ISO 27001.

 What does this mean for our customers?

1. Organizations operating certified ISMSs can save money through better control of risk management.
2. We reduce risks and potential for loss by eliminating fraud, theft or loss of business assets.
3. Hart secures and maintains protection of information assets, thus avoiding incidences of identity or intellectual property theft.
4. Our processes eliminate losses, damage, disruption and downtime from external malicious attack .
5. We have a reduction in adverse publicity through the loss or leaking of information, either internal or customer.
6. We practice effective and good IT governance.
7. Increases resilience to withstand unforeseen emergencies and disasters, thus ensuring business continuity in support of our products and customers.
8. Product system security is achieved through a combination of technical capabilities and sound administrative practices.
9. Security practices extend to services provided to our customers to address increased data privacy concerns and liability related to handling sensitive and confidential jurisdiction data.
10. Our information security strategy is "defensible" meaning the company is taking appropriate precautions to protect itself.

Security for Voters

The Hart Voting System offers triple redundancy of stored cast ballot data, a verifiable paper audit trail, paper ballot voting in the precinct and by-mail, and a thorough system audit log.

From "Voting System Security Review, Hart InterCivic eSlate, Diebold TSx/GEMS, AutoMARK/ES&S 100, An Evaluation Prepared for The Secretary of the Commonwealth of Massachusetts"

by Michael Ian Shamos, Ph.D., J.D.
September 28, 2006

"In my opinion, the critical components of the eSlate system are safe against credible attempts at tampering by outsiders. (An outsider is someone who does not have privileges or confidential documentation.) The reason is extensive use of passwords and crypto tokens and the fact that the eSlate and JBC are not configured as general-purpose computers and do not expose network connections. Even if an outsider is able to gain access to an eSlate, JBC or MBB, he will not be able to perform useful manipulations, i.e. those that would not be detected by the system itself.

Certain kinds of insider intrusions are possible because the insider has the tools necessary to generate and modify cryptographic keys and gain access to all the applications. However, use of the VVPAT and parallel testing negates this risk. Intrusions to the eSlate can be detected in pre-election LAT since without an onboard clock eSlate is unable to determine whether a real election is in progress."    Download Full Report

Frequently Asked Questions

1. What is the eSlate?

The eSlate unit is Hart InterCivic's direct recording electronic (DRE) voting device that allows voters to view, vote, and record electronic ballots. The lower portion of the eSlate unit includes a set of distinctly shaped control buttons and the SELECT Wheel, Hart's specialized interface for maximum accuracy and accessibility. These features enable the voter to review the ballot and cast votes independently, securely, and accurately. The eSlate is NOT a touch-screen system.

2. What is the eScan?

The eScan unit is the precinct-based, digital paper ballot scanner that is fully integrated with the other components of the Hart Voting System. After marking a paper ballot, the voter feeds it directly into the eScan unit. The ballot image is stored as a Cast Vote Record (CVR) on a Mobile Ballot Box. (MBB) flash memory card that can be retrieved and tabulated by Hart's Tally application. The eScan unit's capabilities include functionality to reject overvoted, undervoted, and blank ballots, thereby providing voters with the opportunity to correct mismarked ballots before they are cast at the precinct.

3. What is the VVPAT and what is the VBO?

The Hart Voting System's voter verifiable paper audit trail (VVPAT) is what we call the "Verifiable Ballot Option" (VBO). This printer is attached to the eSlate electronic voting device, and it enables the voter to review a paper summary of the ballot choices cast on the eSlate unit. The VBO provides voters with the confidence that their ballots have an associated paper trail. The paper record can serve as an additional audit trail. Hart InterCivic's fully integrated and easy-to-use Verifiable Ballot Option is delivered through a self-contained printer that is secured in the voting booth next to the eSlate.

4. Is the Hart Voting System certified?

Yes. The Hart Voting System hardware, firmware, and software are tested by federally certified testing facilities. Additionally, each state conducts its own certification process. Currently, the federal certification process is overseen by the United States Election Assistance Commission.

5. Do the Hart voting units meet the HAVA requirements for accessibility?

Yes. Level I Braille is used to label the controls (the ENTER, PREV, NEXT, HELP, and CAST BALLOT buttons and the SELECT Wheel) on the eSlate. As is standard, the Braille is located below each uniquely shaped control. The eSlate unit provides a non-visual access method that includes touch controls and audible playback of operating instructions and ballot content information. The audio component uses a recorded human voice (not a computer-generated one).

6. How secure is the Hart Voting System?

The Hart Voting System is very secure. There have never been any security breaches of the system in or outside of the election environment, either at Hart InterCivic or at customer locations. There are many reasons for this:

• No network connections are allowed at the polling place.
• No programmable devices (e.g., smart cards, electronic keys) at the polling place.
• The eSlate and Judge's Booth Controller use a real-time embedded operating system.
• Physically separate, redundant storage in multiple locations.
• Real-time audit logs.
• Installation and training that incorporate physical security and procedural best practices.

Continual improvement in the areas of security, durability, quality, and accessibility of its products is a basic design and development objective for Hart InterCivic, as is responding to changing customer requirements and market demands. Security takes into account not only technology, but also people and processes. In addition to the security of the Hart Voting System itself, our customers provide many layers of security including chain-of-custody monitoring, parallel testing, logic and accuracy testing, auditing, physical security, law enforcement assistance, etc.

7. Why does Hart use the dial instead of the touch screen?

Hart's SELECT Wheel interface is more precise, more durable, and therefore more reliable than touch screen machines while remaining easy to use. Touch screen machines can be easily affected by accidental bumps or dropping, weather changes, and electronic malfunctions. The eSlate requires no calibration, is simpler to set up and operate, provides a superior voter experience, provides greater reliability, and is easier to maintain. Furthermore, there is no chance of false touches due to ballot images that are misaligned with touch sensors. In addition, the eSlate has been uniquely engineered for maximum accessibility. The eSlate enables private, independent voting for persons with disabilities. Voters with disabilities use the same SELECT Wheel navigation interface, supplemented by audio headphones or optional auxiliary input devices, that is used by voters without disabilities.

8. Does Hart InterCivic make a touch screen voting system?

No. Hart InterCivic makes what is commonly referred to as a Direct Record Electronic (DRE) voting machine that uses a rotary dial and buttons to allow the user to navigate the ballot. The touch screen design was intentionally avoided in the initial engineering of the Hart Voting System because of the cost, maintenance, and irregularities of touch screens themselves.

9. Is Hart InterCivic voting equipment manufactured in the U.S.A.?

Yes, it is. All Hart voting system manufacturing, from the ballot boxes our precinct digital scanner sits atop, to the eSlate electronic voting machine itself, is done in the U.S.A. We believe that this enhances quality assurance and confidence in our equipment, as it is used in elections across America.

10. Is Hart InterCivic voting equipment and software tested for quality before it goes to the cities and counties where the equipment is used? What about after it is delivered?

Yes, all Hart equipment and software is thoroughly tested. The equipment and software go through internal quality control testing, independent lab testing, testing for federal certification, and testing for state certification. Hardware testing includes high humidity, extreme heat and cold, voltage cycling, and anything else that could logically expose defects. Our equipment undergoes an Out of Box Audit (OBA) sampling process before it leaves the manufacturing area. OBA is a random sampling technique in which a completed product, ready for shipment, is selected and then functionally tested by an independent group at the site. After successfully completing the test, the unit is repackaged and subsequently shipped. This ensures lot integrity. A Hart representative joins each of our customers after equipment is delivered to their sites, and another set of acceptance testing is performed. During this testing all voting functionality of the equipment is tested. Finally, customers follow state and local guidelines to perform software logic and accuracy tests (L&A's or LATs) for each election conducted on the system.

11. Why are the eSlate voting devices daisy-chained together?

The daisy-chain configuration allows each Cast Vote Record (CVR) to be instantly stored in multiple physically separate locations: in the eSlate's internal memory, in the Judge's Booth Controller's (JBC's) internal memory, on the Mobile Ballot Box (MMB) flash memory card installed in the JBC, and on the voter verifiable paper audit trail if that option is included. Creating this duplication of the CVR provides maximum security for voted ballots. This configuration also allows us to use the paper Access Code to activate the voting device, rather than using a smart card or other means that might introduce a security risk. An additional advantage of the daisy-chain is that a poll worker does not need to activate each individual voting device, at the device itself, for each voter.

12. What if there is a power failure?

In the unlikely event of a power interruption or failure, the eSlate units immediately and automatically switch to battery power and your vote is fully protected. Hart InterCivic's eSlate can operate on battery power for 18 hours of continuous use. The eScan does not include an integrated battery backup, but paper ballots can be voted when power is out. The paper ballots can then be cast through the "emergency slot" in the eScan ballot box. These ballots are then scanned at the central office in most jurisdictions.

13. Can the electronic voting units be hacked into or results manipulated?

Successful "hacking" of the Hart system is extremely unlikely. The technology involved in the system prevents most threats, and the people and procedures in place in each jurisdiction provide further barriers. A "hacker" would have to have unlimited access to the equipment, collusion with jurisdiction employees, great knowledge of the voting system, a high degree of technical skill, and a willingness to commit multiple felony crimes. The voter activates the eSlate using a random four-digit Access Code - no smart cards, electronic keys, or other programmable devices are needed. Such devices can create security breaches in the system. The eScan, eSlate and JBC units used in elections are not connected to any external network, so there is no opportunity for someone to access the system remotely to alter code. The election officials in each jurisdiction control the passwords and cryptographic keys for the system. Furthermore, common practices at jurisdiction warehouses and polling places prevent tampering - security is always a combination of people, processes, and technology.

14. How do I know that my vote is private?

There is no way for the system to link your vote to you; there is no identifying information recorded with your vote. The Access Code is a random four-digit number that identifies the ballot contests on which you are eligible to vote. The Access Code is not associated with your name or any other identifying information. Therefore, it is impossible to trace your vote. Likewise, the paper ballot cast on the eScan is not associated with you.

15. After I cast my ballot, where do the results go?

Each Cast Vote Record is instantly stored multiple physically separate locations in the eSlate set up: in the eSlate's internal memory, in the JBC's internal memory, on the Mobile Ballot Box flash memory card installed in the JBC, and on the voter verifiable paper audit trail, if this option is installed. With the eScan, the separate locations are the paper ballot itself, the eScan's internal memory, and the Mobile Ballot Box flash memory card.

16. How are the election results for my polling place retrieved from the machines?

The Mobile Ballot Box (MBB) is Hart Voting System's reusable, portable PC memory card. The MBB is used to store election information and transport that data to and from the polling places. Because the MBB uses solid-state, nonvolatile flash memory storage, no batteries or constant power supplies are required to maintain data.

Tally is the Hart Voting System's software application that reads, stores, and tabulates the Cast Vote Records (CVRs) from the MBBs and provides a flexible reporting engine. Tally supports an election tabulation process that is a simple, straightforward, and, most importantly, accurate process. At the close of polls on Election Day, all MBBs (including those used for Early Voting and/or absentee/by-mail voting) are returned to the central counting location. The Tally database is initialized using the finalized Ballot Origination Software System (BOSS) database that was used to create the election. This initialization creates a tabulation database in Tally that contains all election specific information (e.g., contests, options, districts, precincts, etc.).

17. How are votes stored in the machine? In how many places?

On the eSlate, upon pressing the CAST BALLOT button on the final Ballot Summary page, each Cast Vote Record (CVR) is instantly stored in multiple physically separate locations: in the eSlate's internal memory, in the JBC's internal memory, on the Mobile Ballot Box flash memory card installed in the JBC, and on the voter verifiable paper audit trail, if this option is installed. With the eScan, the separate locations are the eScan's internal memory, the Mobile Ballot Box flash memory, and on the original marked paper ballot. The scanned paper ballots are secured in a locked ballot box connected to the eScan.

18. What if someone steals or destroys the MBB?

Only the PCs in the jurisdiction's election office contain the Hart Voting System software and only the correct election database can access and read the MBB. Hart's System for Election Records and Verification of Operations (SERVO) software application provides an election records archiving and asset management system for the Hart Voting System. SERVO is also used to recover Cast Vote Record data from Hart Voting System polling place equipment in the case of a lost or damaged MBB.

19. What is to prevent someone from fabricating an MBB and filling it with phony votes?

Security for the Hart Voting System software applications is provided by sealed equipment, tracking of equipment by serial number, and the eSlate Cryptographic Module (eCM), a physical security device. This electronic device is required for access to secure functions in the BOSS, Ballot Now, Tally, Rally, and SERVO applications. Before allowing access to the Hart Voting System applications, each eCM device requires an encrypted device ID, signing code, and a PIN or password. Only the jurisdiction's elections office staff with access to the Hart Voting System equipment and software has access to this information. Also the BOSS ballot creation software and Tally tabulation software databases track the MBBs that have been created per election, so a fabricated MBB would not be accepted.

20. Why can't I have a receipt of my voting record?

No voting machine issues a copy of an individual's voting record. Some machines or polling places issue a receipt indicating that you voted, but not your voting record. However, voters may request a receipt from the JBC indicating that they voted. This receipt does not show the voter's ballot choices.  Issuing a receipt showing the voting record is illegal in most jurisdictions.

21. Can I change my vote before I cast my ballot? After I cast my ballot?

In compliance with the HAVA requirement for second chance voting, the eSlate allows the voter to review the ballot before casting the vote. The eSlate does not accept a CAST BALLOT command until the voter has viewed all contests on the ballot, as shown on the Ballot Summary. In other words, it is impossible for a voter to cast a ballot without first having the opportunity to review selections and make changes, if desired. After the voter verifies all selections and presses the CAST BALLOT button, the eSlate displays a message acknowledging the cast vote. At that instant, the ballot is recorded electronically as a Cast Vote Record (CVR) in three physically separate locations (the eSlate voting device, the JBC, and the MBB) for security. If the eSlate is outfitted with the voter verifiable paper audit trail, that printout also records the voter's choices. The voter is free to make changes to any selection until the CAST BALLOT button is pressed from the final Ballot Summary page.

Like the eSlate, the eScan allows voter to cast their ballots securely, privately, and independently. After marking a paper ballot, the voter feeds it directly into the eScan at the polling place. The voter knows immediately if the ballot is accepted as a message is displayed on a screen, thus complying with Section 301 of the Help America Vote Act of 2002 (HAVA) by providing the voter the opportunity to change or correct the ballot before it is cast and counted.