| Citizens for Verifiable Voting | HartIntercivicProposalOverview |
UserPreferences |
Please be sure to attend the public meeting of the Boulder County
Commissioners discussing this issue on January 29th at 2
PM at the County Courthouse, 3rd floor, at 13th and Pearl Street.
(Unfortunately, the date was misprinted in the
![[WWW]](/wiki/img/moin-www.gif){kind=small}
Citizens for Verifiable Voting
Op-Ed piece
that ran in the Boulder Daily Camera on Sunday)
Bring your questions, and bring a neighbor or two!
Incomplete draft distributed by Scott Morris at 1/21/2004 CVV meeting
Reworked and somewhat more complete draft added to the
CVV Wiki
1/25/2004 for group editing and contributions.
Corrections and additions strongly encouraged!
On January 8th, 2004, Boulder County released a press release [BCPR20040108] announcing that the Boulder County Commissioners would be holding a public hearing to discuss the recommendation of County Clerk and Recorder Linda Salas that the county purchase a new election system from Hart Intercivic.
After several citizen requests for information
about the system being recommended, the county announced that the
hearing would be postponed until January 29th, when more time could be
allocated for the meeting
[BCPR20040112],
and that portions of the Hart Intercivic proposal would be placed on
the County Clerk's website
for public review
[BCPR20040116].
Portions of the proposal were released during the evening of January
16th, and by January 21st the entire Hart Intercivic proposal
[HART2003]
had been released, with the exception of Section 6, which detailed
pricing information. The released material can currently be found
here.
The released Hart Intercivic proposal was originally submitted in June 2003 in response to the Request for Proposals released by the County Clerks office in May 2003 for a new election system for Boulder County [BCRFP2003]. The RFP called for two systems: a DRE based system for use in the precinct and early voting polling places during primary and general elections, and an optical scan based system for use in absentee and off-year mail ballot elections. In response to the RFP, the Hart Intercivic proposal presented an integrated system, comprising of their eSlate 3000 DRE system, and their Ballot Now optical scan and ballot-on-demand system.
With the Boulder County press releases indicating that the county would not be purchasing a DRE, and the initial January 16th release of the Hart Intercivic proposal only including those sections relating to the Ballot Now parts of the system, the information released proved somewhat confusing to casually-interested members of the community. The proposal, written for the purpose of marketing the system, also proved frustrating to members of the community interested in proposed system's reliability, security, and transparency. Functional details of the Ballot Now system's components and their interaction were scattered throughout several sections, and information about the performance and reliability tests conducted of the systems was largely omitted. While this is not atypical of marketing material, the Hart Intercivic proposal has proved difficult to base an informed decision on.
For the purpose of encouraging an informed discussion about the proposed system, this document attempts to present an overview of the components that would most likely be included in the proposed system, and how they would appear to interact, based on the the Hart Intercivic proposal [HART2003] and the Boulder County press releases [BCPR20040108] [BCPR20040112] [BCPR20040116]. It should be stressed that this document attempts to describe the system based only on a marketing proposal and three press releases, and therefore is quite likely to be incorrect and incomplete with regard to some of the details. I have tried to include citations for most of the details I've included, and I would greatly appreciate anyone who has the time to go through and double check my work.
We have not heard the County Clerk's proposal yet, and none of us have actually seen any technical information on system yet. It is my hope that after hearing the County Clerk's recommendation, the County Commissioners will open this process up for further public review, and apply whatever leverage is necessary to persuade the vendor to release sufficient technical information for the community to provide informed feedback about this system.
(PLEASE NOTE: This is the opinion of a "dissenting" member of
Citizens for Verifiable Voting,
and most certainly does not reflect the official position of CVV
regarding the County Clerks recommendation. For the group's official
position, please see our
Op-Ed piece
in the Sunday, January 25th edition of the
Boulder Daily Camera)
"Ballot Now" Software: The central software package of the proposed system, running on the three Ballot Now stations. The Ballot Now package deals with printing (or exporting to PDF) ballots prepared with the BOSS software package; scanning and detecting voters' markings on cast ballots; presenting ambigious ballots to members of the Ballot Review committee so that voters' intent can be determined; and writing Cast Vote Records onto Mobile Ballot Box PC Cards for tabulation by the TALLY software. [HART2003 p. 2-5, 3-4, 3-17 -- 3-18, 4-12 -- 4-22]
"BOSS" Software: (Ballot Origination Software System) The software used for building the election database, either imported from the Sequoia Integrity Election Management System, or entered manually, and then writing the election database (including ballot styles) onto the Mobile Ballot Box PC Cards to be used for printing physical ballots [HART2003 p. 3-3, 3-8 -- 3-9, 4-12 -- 4-13]. In configurations other than what is currently being proposed for Boulder, the election database written to the Mobile Ballot Box PC Cards is also used to configure Judge's Booth Controllers at individual precincts.
Cast Vote Records: (CVRs) The data structures created on Mobile Ballot Box PC Cards by either by the Ballot Now software (for votes successfully detected from optically-scanned paper ballots), or by Judge's Booth Controllers (for votes cast on the eSlate 3000 DRE terminals). [HART2003 p. 3-3, 3-14, 3-16 -- 3-20, 4-2 -- 4-3, 4-12 -- 4-15, 4-17 - 4-18, 4-20, 4-23, 4-26 -- 4-27, 4-45 -- 4-46, 4-48, 4-56, 4-57, 4-62, 4-66 -- 4-67, 4-71, 4-76, 4-80, 4-87, 4-106, 4-110, 4-183, 4-186, 4-188, Attachment 2 p. 192]
There is still some question about what kind of identifying information goes into the CVRs. For atleast provisional ballots cast via an eSlate terminal, a Retrieval Code is included in the CVR [HART2003 p. 4-50, 4-56, 4-105 -- 4-107], and [HART2003 p. 4-15] states that any provisional ballot can be canceled up until the election is closed, but its not clear if this Retrieval Codes are produced for all provisional ballots, or only when cast via eSlate DRE terminals, with another mechanism for provisional ballots from the Ballot Now system. There is a unique serial number in the bar code printed on each ballot that prevents a ballot from being scanned multiple times [HART2003 p. 4-18], which could also be involved in this.
Disability Access Unit: (DAU) An add-on for eSlate DRE terminals adding support for "disabled and literacy-challenged voters" [HART2003 p. 3-3, 3-14 -- 3-16]. Boulder County does not appear to be purchasing any DAUs or eSlates in 2004, but if they purchase the proposed system, they will likely be required to purchase atleast one eSlate, one Judge's Booth Controller, and one Disability Access Unit per precinct (about 250) in other to comply with the HAVA accessibility requirements that take effect in 2006.
eSlate 3000: Hart Intercivic's DRE terminal [HART2003 p. 3-3, 3-8 -- 3-16, 3-19, 3-20]. Boulder County does not appear to be purchasing any eSlates in 2004, but if they purchase the proposed system, they will likely be required to purchase atleast one eSlate, one Judge's Booth Controller, and one Disability Access Unit per precinct (about 250) in other to comply with the HAVA accessibility requirements that take effect in 2006.
Help America Vote Act: (HAVA) [HAVA2002]
Integrity Election Management System: The Sequoia
election management software
that Boulder County currently uses
[HART2003 p. 3-9, 4-13].
Judge's Booth Controller: (JBC) The terminal used by judges to manage the eSlate DREs deployed in a precinct and writes Cast Vost Records onto Mobile Ballot Box PC Cards. [HART2003 p. 3-3, 3-9 -- 3-10, 3-16 -- 3-17, 3-19, 3-20] It isn't known whether Boulder County is purchasing any eSlates in 2004, but if it does, JBCs will also be needed (see "eSlate 3000" and "Disability Access Unit").
Mobile Ballot Box: (MBB) A PC Card used to transport either ballot data files, or Cast Vote Records. [HART2003 p. 3-3, 4-13 -- 4-14, 4-17, 4-23]
Provisional Ballots: Colorado Election Law and [HAVA2002]) allow voters who believe they are registered to vote, but are not listed in a precinct's poll book, to vote "provisionally," where their completed ballot is placed in a sealed envelope, with the outside of the envelope containing a form with the voter's registration information (name, address, etc). After the election, the County Clerk goes through the provisional ballots, verifying the voter's eligibility to vote in that county. If the voter is determined to be eligble, their envelope is opened, and their ballot added to the ballots to be counted.
The TALLY software definitely supports Retrieval Codes for qualifying/disqualifying provisional ballots cast via eSlate DREs, [HART2003 3-18, 4-12 -- 4-13, 4-15, 4-17, 4-18, 4-49 - 4-50, 4-55 -- 4-56, 4-85, 4-104 -- 4-108, 4-134, 4-138, 4-184], but its not clear whether this applies also to optically-scanned ballots. [HART2003 p. 3-18] implies that perhaps for optically-scanned ballots, Ballot Now is not aware of provisional ballots at all, instead the county is to simply use the existing procedures to determine whether a ballot should be scanned into the system, and once they're scanned there is no way to identifying them.
RALLY: Software used to run satellite collection sites, allowing Cast Vote Records to be read from Mobible Ballot Box PC Cards and transmitted over a modem to the TALLY station a central location. [HART2003 p. 3-4, 3-5] Its doesn't appear that Boulder County will be purchasing equipment for any satellite collection sites.
SERVO: Software useed on the maintenance laptop for maintaining eSlate terminals and Mobile Ballot Box PC Cards. [HART2003 p. 3-6, 3-17, 3-20]
TALLY: Software that reads and tally Cast Vote Records from Mobile Ballot Box PC Cards (or via modem from machines running the RALLY software) and produces the final election results. [HART2003 p. 3-3, 4-12 -- 4-15, 4-17, 4-23]
The following diagram below shows the components that would most likely be included in the Ballot Now system proposed for Boulder County, and how they would interact:
| Figure 1: Components of Proposed Ballot Now System |
![[WWW]](http://www.jomche.org/boulder-election-info/overview-ballotnow-figure1.png){kind=small} http://www.jomche.org/boulder-election-info/overview-ballotnow-figure1.png |
Descriptions of the steps in Figure 1:
Ballots are created using the BOSS software on the Ballot Layout Station. Data is entered into BOSS either by importing data from the Sequoia Integrity Election Management System, or manually entering the information about precincts, election races, etc. Proofs of the created ballots can be previewed or printed on the attached printer, and finished, the election database is written onto Mobile Ballot Box PC Card(s). [HART2003 p. 3-3, 3-8 -- 3-9, 3-17, 4-12 -- 4-13]
The Ballot Now stations are used to generate the actual ballots to be printed from the election database contained on the Mobile Ballot Box PC Card(s). Each ballot contains a barcode that contains identifies the specific ballot style, precinct, and a unique serial number that allows the system to later prevent individual ballots from being scanned multiple times [HART2003 p. 4-17 -- 4-18], and allowing actions by the Ballot Review Committee to be traced back to the physical ballot [HART2003 p. 4-18].
The ballots are then either printed on the attached HP 9000DN Laser Printer (if purchased), or exported to PDF to be sent to a commerical printer. Special card stock or prealigned ovals is not supposed to be needed. [HART2003 p. 2-5, 3-17, 4-13 - 4-14, 4-17 -- 4-18, 4-23]
Printed ballots are picked up by a supply judge, and elections are conducted with voters hand-marking paper ballots, depositing cast ballots into a ballot box. For 2004 there doesn't appear to be anything that would requires changes in the physical security procedures already in place for the ballot boxs or ballots, except that election judges would presumably no longer have to inspect ballots for certified write-in candidates. At the end of the election day, the ballot box is sealed and returned to the canvassing board at the County Clerks office.
NOTE: Boulder County does not appear to be purchasing any eSlates in 2004, but if proposed system is purchased, they will likely be required to purchase atleast one eSlate, one Judge's Booth Controller, and one Disability Access Unit per precinct (about 250), or come up with another means of meeting the HAVA accessibility requirements that take effect in 2006.
3 Ballot Now stations are used to scan in and detect voter markings on cast ballots. Each Ballot Now station consists of a Kodak i830 scanner, three Dell Optiplex GX260s (one running the Ballot Now software, and two acting as image processors), and a HP 9000DN laser printer [HART2003 p. 3-5, 4-12 -- 4-14, 4-23]. Together, the 3 Ballot Now stations are supposed to be able to process 200,000 ballots in 12 hours [HART2003 p. 3-2, 3-5, 4-14]. The Kodak i830 scanners are rated at 160 pages/min {KODAK2003} [HART2003 p. 3-18, 4-19], and so appear to be up to the task.
A digital image is created for each ballot scanned in [HART2003 3-18, 4-14, 4-16], and then the image processors analyze each ballot image for marks made for voters. A Cast Vote Record is created for each ballot that appears to be valid (no overvotes or undervotes), and written onto a Mobile Ballot Box PC Card.
Any ballots that appear to fall outside the allowed number of votes for an individual contest (either undervotes or overvotes) are placed in a queue to be presented to the Ballot Review Committee via a video projector in order to discern voter intent [BCPR20040108 p. 3-18, 4-18, 4-20 -- 4-21].
The ballot review process happens in parallel with the scanning of ballots, such that the scanning process is not halted while ballots are reviewed [HART2003 p. 3-17 -- 3-18, 4-19]. Decisions taken by the Ballot Review Committee on individual ballots are logged in the audit log such that decisions can be traced back to specific physical ballots [HART2003 p. 3-18, 4-14, 4-18 -- 4-19].
As ballots are scanned, the Ballow Now stations update a Scanned Ballots Report, which maintains a list detailing each batch of scanned ballots, including among other things the total ballot count, and the number of "unresolved" ballots waiting to be reviewed by the Ballot Review Committee. Once ballots are reviewed, they no longer show in the unresolved count [HART2003 p. 4-21]. Each Ballot Now station also keeps an audit log, which logs all transactions that result in changes to the database. (Note that odd wording in [HART2003 p. 4-19] answer (4) makes it unclear if all such transactions are logged, or just some).
Besides the Scanned Ballots and Audit Trail, additional reports are maintained by the Ballot Now Stations. These are discussed further in [HART2003 p. 4-19 -- 4-21], with examples in Attachment #2 of [HART2003]. It is not yet clear which reports are placed into the permanent record of the election, but they certainly could be. [Incomplete]
Once a ballot has been automaticly detected, or reviewed by the Ballot Review Committee, a Cast Vote Record is written onto a Mobile Ballot Box PC Card [HART2003 p. 3-18]. The physical ballot, and the digital image of each ballot are retained, and are placed into the permanent record of the election [HART2003 p. 4-15]. [TODO: add more details about CVRs]
It is interesting to note that Hart Intercivic claims that all steps up to this point can be safely carried out for Absentee and Early Voting ballots without risk of violating the Colorado Election Code [HART2003 p. 4-15].
The TALLY station reads Cast Vote Records off of Mobile Ballot Box PC Cards, and computes the final results of each election race [HART2003 p. 3-19, 4-12, ...].
As CVRs from each MBB is read, a real time transaction log is written to the attached line printer and which is placed in the permanent record of the election. [HART2003 BOGUS CITATION: find another]
[incomplete]
The Election Report (official election sesults?) is generated, and many other addition reports can be generated. See [HART2003 p. 4-21 and Attachment #2]. Some of these are probably placed into the permanent record. Perhaps some of these (in addition to the Final Election Report) are placed into the permanent record. [incomplete]
What information is encoded in the barcodes printed on the physical ballots? [HART2003 p. 4-14] indicates that indicates the precinct or ballot style, but [HART2003 p. 4-18] indicates the barcode contains some unique identifier that prevents duplicate scanning. Does this unique identifier make it into Cast Vote Records (and as is the mechnanism by which provisional can be cancelled all the way up until the close of the election [HART2003 p. 3-18, 4-15]?)
Is it possible to deploy a single eSlate (or an eSlate with a DAU) per precinct without each precinct requiring a JBC?
ANSWER: No -- voters cast votes on the eSlate DREs, which are reported back to the JBCs, which in turn write CVRs onto the MBBs, so any precinct brought up to compliance with the 2006 HAVA accessibility requirements will probably need atleast a JBC, an eSlate, and a DAU.
Does the County need a laptop running SERVO if the MBBs are only going to be used between the BOSS, Ballot Now, and TALLY stations within the Clerks office? [HART2003 p. 3-6, 3-17, 3-20]
Can the MBBs simply be erased and new data written to them with the BOSS or Ballot Now software, or can the SERVO software be installed on the one of the BOSS, Ballot Now, or TALLY stations?
How is data imported into BOSS from the Integrity Election Management System? [HART2003 p. 3-8 -- 3-9] Is this code that needs to be written custom for Boulder County (under the "system design and data migration assistance for an existing legacy system(s) interface" part of the on-site technical support [HART2003 p. 3-6] or does Hart Intercivic already has an import filter written for Integrity?
Is there anything that would prevent the county from running the BOSS software on one of the Ballot Now or TALLY statios? (So as to eliminate the need for a separate machine whose only purpose is to import data from Integrity and create ballot data files)
What architecture and software is ran on the image processors in the Ballot Now stations? [HART2003 p. 3-5]
Can all the ballots requiring review be collected onto one of the Ballot Now stations, or do all 3 Ballot Now stations need projectors (or the ability to share a single projector)? [BCPR20040108]
How much logic is embedded in the firmware of the Kodak i830 scanners, and are these maintained / upgraded by Hart Intercivic employees, or Kodak technicians. [KODAK2003 p. 115]
Is Boulder using a commercial printer for printing ballots, or will it be purchasing the 3 HP 9000DN Laser Printers recommened in the proposal?
[BCPR20040108] states that:
The Hart Intercivic system also allows election officials to print replacement ballots on demand, as opposed to printing thousands of ballots that may not be used.
Does this mean the County will have a Ballot Now or JBC station with a printer at each of the 250+ precincts? Or will replacement ballots be printed at the County Clerks office as needed on election day and then driven out to the precincts?
What are the plans for complying with the HAVA disability requirements for 2006? Will the county need to purchase one JBC, one eSlate, and one DAU for each precinct, or does the County have another solution in mind?
Does the County have any plans to purchase equipment for satellite collection centers? (Satellite collection centers consist of laptops running "Rally" [HART2003 p. 3-4, 3-5] which can read Cast Vote Records from MBB PC Cards and transmit them to a central site via modem.)
Purchasing this system now appears to lock the county into buying eSlate DREs from Hart Intercivic in order to comply with the 2006 HAVA disability access requirements. Is this true, or does the County Clerk have another method in mind for achieving compliance?
The answer to [HART2003 p. 4-19] item (4) is not clear whether all changes that result in changes to the database are logged in the Audit Trail, or if only the ones that are logged contain the specified items. Are all all changes that result in changes to the database logged? If not, which ones aren't.
What all items are placed within the secure archive?
What kind of media (CDRs, a removable hard drive, etc) is used to store the ballot images in the secure archive?
Do the actual MBBs get placed into the permanent record, or are they copied onto other media
How long do the all the items in the secure archive have to preserved? (22 months?)
What exactly does Colorado State Law say about which ballots are required (overvotes, undervotes, write-in candidates) to be reviewed by the Ballot Review Committee? [HART2003 p. 4-18, 4-19]
How is anonymity preserved when individual CVRs for provisional ballots can be rejected up until the election is closed? [HART2003 p. 3-18, 4-15]
Exactly what information is encoded in the barcodes on each printed ballot. Is it just ballot style, precinct number, and serial number, or is there additional information?
Press Release: Boulder County sets voting system public hearing.
Boulder County, 1/8/04.
http://listserv.co.boulder.co.us/scripts/wa.exe?A2=ind0401&L=bcpressrelease&T=0&F=&S=&P=186
Press Release: Voting system public hearing rescheduled.
Boulder County, 1/12/04.
http://listserv.co.boulder.co.us/scripts/wa.exe?A2=ind0401&L=bcpressrelease&T=0&F=&S=&P=312
Press Release: County vote tabulation system info available on the Web.
Boulder County, 1/16/04.
http://listserv.co.boulder.co.us/scripts/wa.exe?A2=ind0401&L=bcpressrelease&D=0&T=0&P=663
Request for Proposal: New Voting Tabulation System (RFP #4437-03).
Boulder County Purchasing, May 2003.
A copy is available at http://bcv.booyaka.com/rfp.pdf
Direct Recording Electronic (DRE) Technical Security Assessment Report.
Compuware Corporation, 11/21/2003.
http://www.sos.state.oh.us/sos/hava/files/compuware.pdf
http://www.sos.state.oh.us/sos/hava/files/compuwarePress.pdf
Released by Ohio Secretary of State 12/02/03: http://www.sos.state.oh.us/sos/news/release/12-02-03.htm
Response to Boulder County Request for Proposals (RFP #4437-03).
Hart Intercivic, June 16, 2003.
Portions Released by Boulder County Election Office, January 16, 2004.
Full Release by Boulder County Election Office, January 21, 2004.
http://www.co.boulder.co.us/clerk/HartInfo
An easier to read table of contents can be found at: http://www.coloradovoter.net/moin.cgi/HartIntercivicProposalToc
Help America Vote Act of 2002r. Public Law 107-252.
http://fecweb1.fec.gov/hava/hava.htm
KGNU Interview with Al Kolwicz and Kellen Carey, 1/19/2004.
A copy is available at http://www.coloradovoter.net/moin.cgi/RadioShows
i800 Series Scanners User's Guide. Eastman Kodak Company, July 2003.
http://www.kodak.com/global/en/business/docimaging/downloads/userPublications/i800IPGuideA61510.pdf
Volume 1: Computerized Voting Systems Security Assessment:
Summary of Findings and Recommendations.
InfoSENTRY Services, Inc., 11/21/03.
http://www.sos.state.oh.us/sos/hava/files/InfoSentry1.pdf
Released by Ohio Secretary of State 12/02/03: http://www.sos.state.oh.us/sos/news/release/12-02-03.htm
