They’re Not “Voting Machines”

Exposed Thread
Written By Amy Young

The term “voting machines” as commonly used by the public is a misnomer to describe the proprietary software and basic “Commercial off the shelf” (COTS) computers and scanners that make up a voting system. While the Legislature does define a voting machine as “any electronic device” that captures and tabulates the voters choices, let’s take a deeper dive into the components of Nevada County’s system, Hart Verity 3.1, which process and tabulate our votes.

Desktop Computers

First, a look at the “central counting” computers that process the mail-in ballots and tabulate the final results. The Secretary of State Staff Report on Verity 3.1 describes the hardware backbone of this voting system: “All scanners utilized for tabulation, as well as all computers are COTS. The proprietary polling place devices including Print, Scan, Writer, and Reader are COTS tablets, built into a proprietary case.”  Secretary of State testing reports show that these are HPZ240 desktop computer towers. The HPZ240 desktop models used for this system would date to 2018 or probably earlier, as the SOS tested and conditionally approved the Hart Verity 3.0.1 system in 2018. Nevada County purchased the Hart Verity 3.0.1 system in July 2019, and upgraded the software to the 3.1 version in January of 2020.  So, the two systems share the same hardware, and testing documents relating to the 3.0.1 system can give us insight into the hardware of the 3.1 system in use today.

These desktop computers have static TCP/IP addresses for networking via a wired ethernet connection, consistent with Hart InterCivic’s (the parent company) patent for such an electronic voting network.  Like most COTS computers, HP factory specifications show that the HPZ240 computers have Intel Active Management Technology, which is like a computer within the computer, enabling “Out-Of-Band” remote support and management of networked computer systems - even if the user is not present or the computer is off.  

Able to Connect, but Not Connected?

Testing documents for Verity 3.0.1 provide insight as to whether the HPZ240 desktop computers running Verity Central and Count contain Wi-Fi or Bluetooth components.  They explain “Central[,] and Count sites will use Ethernet for network connectivity . . . The use of non-hardwired connectivity will not be permitted and such functionality has been disabled (e.g., wireless, Bluetooth).”  So, it would be logical to conclude from this statement that there are wireless and Bluetooth components on these COTS desktop computers, but they have been disabled. Indeed, even our state law does not specify if the hardware can contain Wi-Fi or Bluetooth components. Upon close reading of Elections Code 19205, we learn that having such a capability is not expressly banned, but only the connection itself is.  Election Officials insist that these computers cannot be hacked because they are air-gapped, i.e., not connected to the Internet. The above testing document confirms that a wired Ethernet connection is both common and legal for local networking.

Proprietary Software with Secret Source Code

The HPZ240 computers run proprietary Verity 3.1 source code and software. Verity “Central” software is for adjudicating and tabulating mail-in ballot images, while the Verity “Count” software processes images resulting from ballots cast in-person. The software interprets the vote choices on the digital ballot images taken from the paper ballots and converts them into the “Cast Vote Record”. Verity Count is also the final destination for all voting and log data coming from Verity Central. It reconciles and counts the votes resulting from all the data from both mail-in and in-person ballots and generates reports of election results.  

Other Common Software

There is other software installed on these computers. The Verity 3.1 system runs on a Windows 7 operating system, unsupported as of January 2020 (more on this below), and Microsoft SQL servers for database functionality.  

What about peripheral devices and their drivers? Vote-by-mail ballots are sorted by precinct, opened and separated from the envelope (at that moment revealing the voter’s identity in connection with the otherwise anonymous ballot inside), and then fed into a scanner that is networked with the two HPZ240 desktop computers running Verity Central software. You may have guessed at this point that this scanner is another COTS product, and you are right. Nevada County’s purchase contract dated July 1, 2019, for the Hart Verity system details the type of scanner. It is a CANON DR-61130 unit, described in Exhibit B as a “Central ballot scanner with 1-year warranty”, priced at $10,000 each (two units were purchased).  Due to this COTS scanner, we could expect to find a driver in the software inventory of the two HP computers running Verity Central.

Fancy Clothes?

Let’s jump from the county’s central counting location to the satellite vote centers (no longer precinct-based). If you have voted in person, you may have asked for a new ballot, voted that ballot, and then fed it into a stand-alone kiosk with a Verity “Scan” unit. You may have noticed the purpose-built physical housing units for laptops and stands that catch paper ballots into locked containers as they are fed into the vote center scanners that you interacted with. Perhaps this surface dressing is what has led us to use the term “voting machine”. Despite their dressed-up appearance, the SOS Staff Report on Verity 3.1 provides insight as to the hardware technology of these units:  “The proprietary polling place devices including Print, Scan, Writer, and Reader, are COTS tablets, built into a proprietary case.” The Verity Scan software installed on these COTS tablets captures the image of the ballot and records the “Cast Vote Record”, which is a summary of the vote choices for that ballot. The data from these scanning units is saved onto Verity thumb drives and transferred to Verity Count for final tabulation, discussed above. 

Also at a vote center, you may have opted to use a touch-screen computer, named “Verity TouchWriter” to fill out your ballot. Like the scanning unit above, this is also a COTS tablet built into a proprietary case. This component is also configured with devices which allow individuals with disabilities accessible means to make their vote selections. This unit fits most closely with the legislature’s definition of a “voting machine”.

Certified, but is it certifiable?

On February 27, 2019, former California Secretary of State Alex Padilla released a “County Clerk/Registrar of Voters (CC/ROV) Memorandum”, number 19015, in which he gave notice to county Registrars of Voters that the voting systems that had been in use were now decertified and that they should start shopping for a new system for the upcoming 2020 elections. In the memo, he states:

“The voting systems being decertified contain obsolete hardware and software components, and employ end-of-life operating systems that are no longer supported.”

He goes on to recommend a short list of newer voting systems that had been recently conditionally approved by his office (in California, since SB 360 was passed in 2013, the Secretary of State is solely responsible for testing and conditionally approving voting systems for use in California). The list included a Dominion system version 5.2, VSAP version 1.0, and Hart Verity 3.0.1.

Padilla also provided a list of three voting systems that “are currently being reviewed and tested to CVSS [California Voting System Standards]” from Dominion, ES&S, and VSAP.

More Questions than Answers

According to the Staff Report on the Hart Verity 3.0.1 Voting System, “Hart is licensed by Microsoft to build their own versions of the Windows 7 Operating System”. Windows 7 reached its end of life on January 14, 2020. The Verity 3.0.1 voting system that Padilla recommended and Nevada County purchased had the very same problem that had prompted the decertification of the prior voting systems. Why would an obsolete operating system be a reason for decertification of a legacy voting system, while at the same time be present in a “new” voting system that the SOS recommended as a replacement?

Voting Systems Cannot Be Updated

Once conditionally approved by the SOS, voting systems cannot be updated or altered from the original “trusted build” in any way. A recent response to a public records request to the Secretary of State has confirmed that no updates to the operating system or any component of the system can be performed without triggering the need to recertify the entire system.  The SOS replied:

“Anti-virus software was installed on the Verity voting system at the time of testing and certification. If a system under consideration for certification is certified, the software and firmware become the ‘trusted build’ for the system. The California Secretary of State holds the trusted build in a secure location and distributes it securely to California counties to maintain strict chain of custody. The trusted build is not modified unless the manufacturer (Hart) applies for a modification and the modified version is approved and certified.”

Since Verity 3.1 was conditionally approved on December 27, 2019, we can conclude that the computers and their software have not been hardened against viruses or malware since before that date.  Yet, the California Voting Systems Standards (the testing and certification standards for voting systems in California) makes clear: 

“Voting systems shall deploy commercial-off-the-shelf (COTS) protection against the many forms of threats to which they may be exposed such as file and macro viruses, worms, Trojan horses, and logic bombs. Manufacturers shall develop and document the procedures to be followed to ensure that such protection is maintained in a current status.”

Protection against viruses and malware must be “maintained in a current status”. This is simply not possible when both the operating system is obsolete and no updates can otherwise be performed

3.0.1 and 3.1 – Same Hardware, Different Software Versions

As noted above, the Verity 3.1 system shares the same hardware as its 3.0.1 counterpart. The Verity 3.1 Staff Report dated November 20, 2019 also confirms that the system runs on Windows 7:

“All computer-based systems utilize the Windows Embedded Standard 7 with Service Pack 1 Operating System is a custom-built version, with all applications and services not necessary for the voting system removed, thereby reducing the attack surface. Windows 7 is scheduled for end of life at Microsoft in January of 2020.”

Nevada County Commits to Verity 3.1

In this report, Secretary of State Padilla acknowledged that Windows 7 would reach its end-of-life just two months later, but still conditionally approved the voting system for future purchase and use. Nevada County had, at that point, spent $581,266 (with reimbursements from State and Federal HAVA funding in the amount of $315,633, with a total expenditure from the County General Fund of $265,633) on the system with a three-year software licensing agreement. On June 27, 2023, Nevada County Supervisors passed a resolution to extend the licensing agreement for the Hart Verity 3.1 system for another 5 years, at the cost of $235,515.03.   

Update: On September 26, the Secretary of State certified a new Hart voting system, Verity 3.2, which runs on Windows 10 LTSC (Long Term Servicing Channel) operating system. The Verity 3.2 Staff Report mentions that the 3.2 system was tested on both HP Z4G4 and HP Z240 desktop computers, and that "[a]ll computers run the Windows 10 LTSC operating system". This testing information indicates that the Verity 3.2 software and its Windows 10 LTSC operating system is certified to run on an HPZ240 desktop computer, so we can expect that an upgrade may be in the works for Nevada County's voting system.  There is no mention in the Nevada County Board of Supervisors Staff Letter regarding renewal of the Verity agreement for the next five years whether the County's Verity 3.1 voting system will be updated with the Windows 10. 

When we discuss how our ballots are scanned and our votes are tallied, it is more accurate to call “Voting Machines” commercially-available desktop and laptop computers running proprietary software. The question becomes: is a standard 5-year-old laptop or desktop computer with no current virus protection and running an unsupported operating system vulnerable to hacking? If you ask that question, you join the ranks of Democrats including Kamala Harris and Amy Klobuchar who posed the same question in years past. As sentiment grows in favor of hand counting done at the precinct level – despite the Legislature’s recent ban on hand counting with AB 969 – it is crucial to correctly identify and name what we would like to peacefully change.

How to Research Your County’s Voting System

If you are in another California county, you can find the type of voting system your county uses, and research the certification documents. You can also access the purchase contract for your county via your Board of Supervisors meetings documentation online. 

This article was updated by the author on October 11, 2023 to incorporated updated information from the Secretary of State from September 2023.

Amy Young

Amy Young is an imperfect follower of Christ who can read.

Previous

What, another vaccine? You have to be kidding?
Next

Why is Sierra College's Osher Lifelong Learning Institute (OLLI) Becoming Politicized?