Voting System Standards

FEC HOME > AGENDAS > 12/13/2001 AGENDA > AGENDA DOCUMENT 01-62

This document is part of Agenda Document Number 01-62 on the agenda for consideration at the December 13, 2001, meeting of the Federal Election Commission.


Volume I, Section 2
Table of Contents

2 Functional Capabilities..............................................................................

2.1 Scope.........................................................................................................

2.2 Overall System Capabilities......................................................................

2.2.1 Security...................................................................................................

2.2.2 Accuracy.................................................................................................

2.2.2.1 Common Standards............................................................................

2.2.2.2 DRE System Standards......................................................................

2.2.3 Error Recovery.......................................................................................

2.2.4 Integrity....................................................................................................

2.2.4.1 Common Standards............................................................................

2.2.4.2 DRE Systems Standards....................................................................

2.2.5 System Audit...........................................................................................

2.2.5.1 System Audit Purpose and Context....................................................

2.2.5.2 Operational Requirements..................................................................

2.2.5.2.1 Time, Sequence, and Preservation of Audit Records......................

2.2.5.2.2 Error Messages................................................................................

2.2.5.2.3 Status Messages..............................................................................

2.2.6 Election Management System................................................................

2.2.7 Accessibility............................................................................................

2.2.7.1 Common Standards............................................................................

2.2.7.2 DRE Standards.................................................................................

2.2.8 Vote Tabulating.....................................................................................

2.2.9 Ballot Counters.....................................................................................

2.2.9.1 Election Counter................................................................................

2.2.9.2 Life-Cycle Counter.............................................................................

2.2.10 Telecommunications..........................................................................

2.2.11 Data Retention....................................................................................

2.3 Pre-voting Functions................................................................................

2.3.1 Ballot Preparation.................................................................................

2.3.1.1 General Capabilities...........................................................................

2.3.1.1.1 Common Standards.......................................................................

2.3.1.1.2 Paper-Based System Standards...................................................

2.3.1.2 Ballot Formatting................................................................................

2.3.1.3 Ballot Production................................................................................

2.3.1.3.1 Common Standards.......................................................................

2.3.1.3.2 Paper-Based System Standards...................................................

2.3.2 Election Programming..........................................................................

2.3.3 Ballot and Program Installation and Control.........................................

2.3.4 Readiness Testing................................................................................

2.3.4.1 Common Standards..........................................................................

2.3.4.2 Paper-Based Systems......................................................................

2.3.5 Verification at the Polling Place............................................................

2.3.6 Verification at the Central Location.......................................................

2.3.6.1 Printed Records.................................................................................

2.4 Voting Functions......................................................................................

2.4.1 Opening the Polls.................................................................................

2.4.1.1 Opening the Polling Place (Precinct Count Systems)......................

2.4.1.2 Paper-Based System Standards......................................................

2.4.1.2.1 All Paper-Based Systems..............................................................

2.4.1.2.2 Precinct Count Paper-Based Systems..........................................

2.4.1.3 DRE System Standards....................................................................

2.4.2 Activating the Ballot (DRE Systems)....................................................

2.4.3 Casting a Ballot.....................................................................................

2.4.3.1 Common Standards..........................................................................

2.4.3.2 Paper-Based Systems Standards....................................................

2.4.3.2.1 All Paper-Based Systems..............................................................

2.4.3.2.2 Precinct Count Paper-Based Systems..........................................

2.4.3.3 DRE Systems Standards..................................................................

2.5 Post-Voting Functions.............................................................................

2.5.1 Closing the Polling Place (Precinct Count)..........................................

2.5.2 Consolidating Vote Data.......................................................................

2.5.3 Producing Reports................................................................................

2.5.3.1 Common Standards..........................................................................

2.5.3.2 Precinct Count Systems...................................................................

2.5.4 Broadcasting Results...........................................................................

2.6 Maintenance, Transportation, and Storage.............................................

 


2                                                                                       Functional Capabilities

 

2.1                     Scope

This section contains standards detailing the functional capabilities required of a voting system. This section sets out precisely what it is that a voting system is required to do. In addition, this section sets forth the minimum actions a voting system must be able to perform to be eligible for qualification.

For organizational purposes, functional capabilities are categorized by the phase of election activity in which they are required:

¨       Overall Capabilities:  These functional capabilities apply throughout the election process. They include security, accuracy, integrity, system auditability, election management system, vote tabulation, ballot counters, telecommunications, and data retention.

¨       Pre-voting Capabilities:  These functional capabilities are used to prepare the voting system for voting. They include ballot preparation, the preparation of election-specific software (including firmware), the production of ballots or ballot pages, the installation of ballots and ballot counting software (including firmware), and system and equipment tests.

¨       Voting Capabilities: These functional capabilities include all operations conducted at the polling place by voters and officials including the generation of status messages.

¨       Post-voting Capabilities: These functional capabilities apply after all votes have been cast. They include closing the polling place; obtaining reports by voting machine, polling place, and precinct; obtaining consolidated reports; and obtaining reports of audit trails.

¨       Maintenance, Transportation and Storage Capabilities: These capabilities are necessary to maintain, transport, and store voting system equipment.

 

In recognition of the diversity of voting systems, the Standards apply specific requirements to specific technologies. Some of the Standards apply only if the system incorporates certain optional functions (for example, voting systems employing telecommunications to transmit voting data). For each functional capability, common standards are specified. Where necessary, common standards are followed by standards applicable to specific technologies (i.e., paper-based or DRE) or intended use (i.e., central or precinct count).

2.2                     Overall System Capabilities

This section defines required functional capabilities that are system-wide in nature and not unique to pre-voting, voting, and post-voting operations. All voting systems shall provide the following functional capabilities:

¨       Security;

¨       Accuracy;

¨       Error recovery;

¨       Integrity;

¨       System auditability;

¨       Election management system;

¨       Accessibility:

¨       Vote tabulating;

¨       Ballot counters:

¨       Telecommunications; and

¨       Data Retention.

Technical standards for these capabilities are described in Sections 3 through 6 of the Standards.

2.2.1            Security

System security is achieved through a combination of technical capabilities and sound administrative practices. To ensure security, all systems shall:

a.       Provide security access controls that limit or detect access to critical system components to guard against loss of system integrity, availability, confidentiality, and accountability.

b.       Provide system functions that are executable only in the intended manner and order, and only under the intended conditions.

c.       Use the system's control logic to prevent a system function from executing if any preconditions to the function have not been met.

d.       Provide safeguards to protect against tampering during system repair, or interventions in system operations, in response to system failure.

e.       Provide security provisions that are compatible with the procedures and administrative tasks involved in equipment preparation, testing, and operation.

f.        If access to a system function is to be restricted or controlled, the system shall incorporate a means of implementing this capability.

g.       Provide documentation of mandatory administrative procedures for effective system security.

2.2.2            Accuracy

Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy. Section 3 provides additional information on susceptibility requirements.

2.2.2.1            Common Standards

To ensure vote accuracy, all systems shall:

a.       Record the election contests, candidates, and issues exactly as defined by election officials;

b.       Record the appropriate options for casting and recording votes;

c.       Record each vote precisely as cast and be able to produce an accurate report of all votes cast;

d.       Include control logic and data processing methods incorporating parity and check-sums (or equivalent error detection and correction methods) to demonstrate that the system has been designed for accuracy; and

e.       Provide software that monitors the overall quality of data read-write and transfer quality status, checking the number and types of errors that occur in any of the relevant operations on data and how they were corrected.

2.2.2.2            DRE System Standards

As an additional means of ensuring accuracy in DRE systems, voting devices shall record and retain redundant copies of the original ballot image. A ballot image is an electronic record of all votes cast by the voter on a single ballot.

2.2.3            Error Recovery

To recover from a non-catastrophic failure of a device, or from any error or malfunction that is within the operator's ability to correct, the system shall provide the following capabilities:

a.       Restoration of the device to the operating condition existing immediately prior to the error or failure, without loss or corruption of voting data previously stored in the device;

b.       Resumption of normal operation following the correction of a failure in a memory component, or in a data processing component, including the central processing unit; and

c.       Recovery from any other external condition that causes equipment to become inoperable, provided that catastrophic electrical or mechanical damage due to external phenomena has not occurred.

2.2.4            Integrity

Integrity measures ensure the physical stability and function of the vote recording and counting processes.

2.2.4.1            Common Standards

To ensure system integrity, all systems shall:

a.       Protect against the failure of any single voting or vote counting device causing a failure of other connected devices;

b.       Protect against the interruption of electronic power;

c.       Protect against generated or induced electromagnetic radiation;

d.       Protect against ambient temperature and humidity fluctuations;

e.       Protect against the failure of any data input or storage device;

f.        Protect against any attempt at improper data entry or retrieval;

g.       Record and report the date and time of normal and abnormal events;

h.       Maintain a permanent record of audit information that cannot be bypassed or turned off;

i.         Detect and record every event, including the occurrence of an error condition that the system cannot overcome, and time-dependent or programmed events that occur without the intervention of the voter or a polling place operator; and

j.         Include built-in measurement, self-test, and diagnostic software and hardware for detecting and reporting the system's status and degree of operability.

2.2.4.2            DRE Systems Standards

In addition to the common standards, DRE systems shall:

a.       Maintain a record of each ballot cast using a process and storage location that differs from the main vote detection, interpretation, processing, and reporting path; and

b.       Provide a capability to retrieve ballot images in a form readable by humans.

2.2.5            System Audit

This section describes the context and purpose of voting system audits and sets forth specific functional requirements. Additional technical audit requirements are set forth in Section 4.

2.2.5.1            System Audit Purpose and Context

Election audit trails provide the supporting documentation for verifying the correctness of reported election results. They present a concrete, indestructible archival record of all system activity related to the vote tally, and are essential for public confidence in the accuracy of the tally, for recounts, and for evidence in the event of criminal or civil litigation.

The following audit trail requirements are based on the premise that system-generated creation and maintenance of audit records reduces the chance of error associated with manually generated audit records. Because most audit capability is automatic, the system operator has less information to track and record, and is less likely to make mistakes or omissions.

The sections that follow present operational requirements critical to acceptable performance and reconstruction of an election. Requirements for the content of audit records are described in Section 4 of the Standards.

The requirements for all system types, both precinct and central count, are described in generic language. Because the actual implementation of specific characteristics may vary from system to system, it is the responsibility of the vendor to describe each system's characteristics in sufficient detail that ITAs and system users can evaluate the adequacy of the system's audit trail. This description shall be incorporated in the System Operating Manual, which is part of the Technical Data Package (TDP).

Documentation of items such as paper ballots delivered and collected, administrative procedures for system security, and maintenance performed on voting equipment are also part of the election audit trail, but are not covered in these technical standards. Future volumes of the Standards will address these and other system operations practices. In the interim, useful guidance is provided by the Innovations in Election Administration #10, Ballot Security and Accountability, available from the FEC’s Office of Election Administration.

2.2.5.2            Operational Requirements

Audit records shall be prepared for all phases of elections operations performed using devices controlled by the jurisdiction or its contractors. These records rely upon automated audit data acquisition and machine-generated reports, with manual input of some information. These records shall address the ballot preparation and election definition phase, system readiness tests, and voting and ballot-counting operations. The software shall activate the logging and reporting of audit data as described in the following sections.

2.2.5.2.1            Time, Sequence, and Preservation of Audit Records

The timing and sequence of audit record entries is as important as the data contained in the record. All voting systems shall meet the following requirements for time, sequence and preservation of audit records:

a.       Except where noted, systems shall provide the capability to create and maintain a real-time audit record. This capability records and provides the operator or precinct official with continuous updates on machine status. This information allows effective operator identification of an error condition requiring intervention, and contributes to the reconstruction of election-related events necessary for recounts or litigation.

b.       All systems shall include a real-time clock as part of the system’s hardware. The system shall maintain an absolute record of the time and date or a record relative to some event whose time and data are known and recorded.

c.       All audit record entries shall include the time-and-date stamp.

d.       The audit record shall be active whenever the system is in an operating mode. This record shall be available at all times, though it need not be continually visible.

e.       The generation of audit record entries shall not be terminated or altered by program control, or by the intervention of any person. The physical security and integrity of the record shall be maintained at all times.

f.        Once the system has been activated for any function, the system shall preserve the contents of the audit record during any interruption of power to the system until processing and data reporting have been completed.

g.       The system shall print a copy of the audit record. A separate printer is not required for the audit record, and the record may be produced on the standard system printer if all the following conditions are met:

1)      The generation of audit trail records does not interfere with the production of output reports;

2)      The entries can be identified so as to facilitate their recognition, segregation, and retention; and

3)      The audit record entries are kept physically secure.

2.2.5.2.2            Error Messages

All voting systems shall meet the following requirements for error messages:

a.       The system shall generate, store, and report to the user all error messages as they occur;

b.       All error messages requiring intervention by an operator or precinct official shall be displayed or printed unambiguously in easily understood language text, or by means of other suitable visual indicators;

c.       When the system uses numerical error codes for trained technician maintenance or repair, the text corresponding to the code shall be self-contained, or affixed inside the unit device. This is intended to reduce inappropriate reactions to error conditions, and to allow for ready and effective problem correction;

d.       All error messages for which correction impacts vote recording or vote processing shall be written in a manner that is understandable to an election official who possesses training on system use and operation, but does not possess technical training on system servicing and repair;

e.       The message cue for all systems shall clearly state the action to be performed in the event that voter or operator response is required;

f.        System design shall ensure that erroneous responses will not lead to irreversible error; and

g.       Nested error conditions shall be corrected in a controlled sequence such that system status shall be restored to the initial state existing before the first error occurred.

2.2.5.2.3            Status Messages

The Standards provide latitude in software design so that vendors can consider various user processing and reporting needs. The jurisdiction may require some status and information messages to be displayed and reported in real-time. Messages that do not require operator intervention may be stored in memory to be recovered after ballot processing has been completed.

The system shall display and report critical status messages using unambiguous indicators or English language text. The system need not display non-critical status messages at the time of occurrence. Systems may display non­-critical status messages (i.e., those that do not require operator intervention) by means of numerical codes for subsequent interpretation and reporting as unambiguous text.

Systems shall provide a capability for the status messages to become part of the real-time audit record. The system shall provide a capability for a jurisdiction to designate critical status messages.

2.2.6            Election Management System

The Election Management System (EMS) is used to prepare ballots and programs for use in casting and counting votes, and to consolidate, report, and display election results. An EMS shall generate and maintain a database, or one or more interactive databases, that enables election officials or their designees to perform the following functions:

a.       Define political subdivision boundaries and multiple election districts as indicated in the system documentation;

b.       Identify contests, candidates, and issues;

c.       Define ballot formats and appropriate voting options;

d.       Generate ballots and election-specific programs for vote recording and vote counting equipment;

e.       Install ballots and election-specific programs;

f.        Test that ballots and programs have been properly prepared and installed;

g.       Accumulate vote totals at multiple reporting levels as indicated in the system documentation;

h.       Generate the post-voting reports required by Section 2.5; and

i.         Process and produce audit reports of the data indicated in Section 4.5.

2.2.7            Accessibility

The Standards provide requirements for voting systems to meet the accessibility needs of voters with disabilities. Efforts to meet the accessibility requirements shall not violate the privacy, secrecy, and integrity demands of the Standards.

2.2.7.1            Common Standards

To facilitate accessibility, all voting systems shall provide a device that is capable of meeting the following conditions, as illustrated in Figures 1 and 2:

a.       The position of any operable control is determined with respect to a vertical plane that is 48 inches in length, centered on the operable control, and at the maximum protrusion of the product within the 48-inch length;

b.       Where any operable control is 10 inches or less behind the reference plane, have a height that is between 15 inches and 54 inches above the floor;

c.       Where any operable control is more than 10 inches and not more than 24 inches behind the reference plane, have a height between 15 inches maximum and 46 inches above the floor; and

d.       Have operable controls that are not more than 24 inches behind the reference plane.

 

Figure 1. Verticle Plane Relative to the Operable Control

Height of Operable Control Relative to the Verticle Plane

2.2.7.2            DRE Standards

DRE systems shall provide, as part of their configuration, the capability to provide access to voters with disabilities. This capability shall:

a.       Not require, the voter to bring their own assistive technology to a polling place;

b.       Provide audio information and stimulus that:

1)      Communicates to the voter the complete content of the ballot;

2)      Provides instruction to the voter in operation of the voting device;

3)      Provides instruction so that the voter has the same vote capabilities and options as those provided by the system to individuals who are not using audio technology;

4)      Enables the voter to review the voter’s write-in input, edit that input, and confirm that the edits meet the voter’s intent;

5)      Enables the voter to request repetition of any information provided by the system;

6)      Supports the use of headphones provided by the system that may be discarded after each use;

7)      Provides the audio signal through an industry standard connector for private listening using a 1/8 inch plug to allow individual voters to supply personal headsets; and

8)      Provides a volume control with an adjustable amplification up to a maximum of 105 dB that automatically resets to the default for each voter.

c.       Provide, in conformance with FCC Part 68, a wireless coupling for assistive devices used by people who are hard of hearing when a system utilizes a telephone style handset to provide audio information;

d.     Meet the requirements of ANSI C63.19-2001 Category 4 to avoid electromagnetic interference with assistive hearing devices;

e.       For electronic image displays, permit the voter to:

1)      Adjust the contrast settings;

2)      Adjust color settings, when color is used; and

3)      Increase the screen font size to at least 18 points.

f.        For a device with touchscreen or contact-sensitive controls, provide an input method using mechanically operated controls or keys that shall:

1)      Be tactilely discernible without activating the controls or keys;

2)      Be operatable with one hand and not require tight grasping, pinching, or twisting of the wrist;

3)      Require a force less than 5 lbs (22.2 N) to operate; and

4)      Provide no key repeat function;

g.       For a system that requires a response by a voter in a specific period of time, alert the user when this time period has ended and allow the voter to indicate that more time is needed;

h.       For a system that provides sound cues as a method to alert the voter about a certain condition, such as the occurrence of an error, or a confirmation, the tone shall be accompanied by a visual cue for users who cannot hear the audio prompt; and

i.         Provide a secondary means of voter identification or authentication when the primary means of doing so uses biometric measures that require a voter to possess particular biological characteristics.

2.2.8            Vote Tabulating

The vote tabulating program software resident in each voting device, vote count server, or other devices shall include all software modules required to:

a.       Monitor system status and generate machine-level audit reports;

b.       Accommodate device control functions performed by polling place officials and maintenance personnel;

c.       Register and accumulate votes; and

d.       Accommodate variations in ballot counting logic.

There are significant variations among the election laws of the 50 states with respect to permissible ballot contents, voting options, and the associated ballot counting logic. The TDP accompanying the system shall specifically identify which of the following items can be accommodated by the system:

a.       Closed primaries;

b.       Open primaries;

c.       Partisan offices;

d.       Non-partisan offices;

e.       Write-in voting;

f.        Primary presidential delegation nominations;

g.       Ballot rotation;

h.       Straight party voting;

i.         Cross-party endorsement;

j.         Split precincts;

k.       Vote for N of M;

l.         Recall issues, with options;

m.     Overvotes;

n.       Undervotes; and

o.       Totally blank ballots.

2.2.9            Ballot Counters

All voting systems shall have an election counter and a life-cycle counter.

2.2.9.1            Election Counter

For all voting systems, each device that tabulates ballots shall provide a counter that:

a.       Can be set to zero before any ballots are submitted for tally;

b.       Records the number of ballots cast during a particular test cycle or election;

c.       Increases the count only by the input of a ballot;

d.       Prevents or disables the resetting of the counter by any person other than authorized persons at authorized points; and

e.       Is visible to designated election officials.

2.2.9.2            Life-Cycle Counter

For all voting systems, each device that tabulates ballots shall provide a counter that:

a.       Records every test and official ballot counted since the unit was built;

b.       Is incapable of being reset;

c.       Increases the count only by the input of a ballot; and

d.       Is visible at all times when the device is configured for test, maintenance, or election use.

2.2.10            Telecommunications

For all voting systems that use telecommunications for the transmission of data during pre-voting, voting or post-voting activities, capabilities shall be provided that ensure data are transmitted with no alteration or unauthorized disclosure during transmission. Section 5 of the Standards describes standards that apply to, at a minimum, the following types of data transmissions:

¨       Voter Authentication: Coded information that confirms the identity of a voter for security purposes for a system that transmit votes individually over a public network;

¨       Ballot Definition: Information that describes to a voting machine the content and appearance of the ballots to be used in an election;

¨       Vote Transmission to Central Site: For systems that transmit votes individually over a public network, the transmission of a single vote to the county (or contractor) for consolidation with other county vote data;

¨       Vote Count: Information representing the tabulation of votes at any one of several levels:  polling place, precinct, or central count; and

¨       List of Voters: A listing of the individual voters who have cast ballots in a specific election.

2.2.11            Data Retention

United States Code Title 42, Sections 1974 through 1974e, states that election administrators shall preserve for 22 months “all records and paper that came into (their) possession relating to an application, registration, payment of poll tax, or other act requisite to voting.” This retention requirement applies to systems that will be used at any time for voting of candidates for Federal offices (e.g., Member of Congress, United States Senator, and/or Presidential Elector). Therefore, all systems shall provide for maintaining the integrity of voting and audit data during an election and for a period of at least 22 months thereafter.

Because the purpose of this law is to assist the Federal government in discharging its law enforcement responsibilities in connection with civil rights and elections crimes, its scope must be interpreted in keeping with that objective. The appropriate state or local authority must preserve all records that may be relevant to the detection and prosecution of federal civil rights or election crimes for the 22-month federal retention period, if the records were generated in connection with an election that was held in whole or in part to select federal candidates. It is important to note that Section 1974 does not require that election officials generate any specific type or classification of election record. However, if a record is generated, Section 1974 comes into force and the appropriate authority must retain the records for 22 months.

For 22-month document retention, the general rule is that all printed copy records produced by the election database and ballot processing systems shall be so labeled and archived. Regardless of system type, all audit trail information spelled out in subsection 4.5 of the Standards shall be retained in its original format, whether that be real-time logs generated by the system, or manual logs maintained by election personnel. The election audit trail includes not only in-process logs of election-night (and subsequent processing of absentee or provisional ballots), but also time logs of baseline ballot definition formats, and system readiness and testing results.

In many voting systems, the source of election-specific data (and ballot formats) is a database or file. In precinct count systems, this data is used to program each machine, establish ballot layout, and generate tallying files. It is not necessary to retain this information on electronic media if there is an official, authenticatable printed copy of all final database information. However, it is recommended that the state or local jurisdiction also retain electronic records of the aggregate data for each device so that reconstruction of an election is possible without data re-entry. The same requirement and recommendation applies to vote results generated by each precinct device or system.

Specifically, the Department of Justice considers Section 1974 to include the following items relevant to automated voting systems:

a.       Copies of operating procedures, including security measures, established for system preparation, operation and data extraction;

b.       Election databases;

c.       Election programming and ballot formatting records;

d.       Records of the installation of election programs and ballots;

e.       Records of all testing of electronic vote counting systems;

f.        Test decks and test programs;

g.       Printed list of zero totals for precinct count devices (or memory registers in central count systems);

h.       All voted ballots, including absentee ballots, (Section 1974 requires the retention of the ballots themselves in those jurisdictions where a voter’s preference is manifested by marking a piece of paper or punching holes in a computer card);

i.         Records of ballot images produced by DRE voting devices;

j.         Strips or sheets mounted on DRE voting machines (ballot faces), each identified by machine number and precinct;

k.       Assembled vote recorder pages (applicable to Votomatic systems), each identified by precinct;

l.         Any record reflecting the identity of those who cast ballots, if automated;

m.     Official canvass records, if automated;

n.       All Statements of Votes;

o.       Removable data storage component (PROM, memory pack, cartridge, chip, etc.) [Either the storage component itself is saved, or save, on electronic medium, record of programming the device, and the post-election printed copy of its output plus the program used to read the component.];

p.       For DRE voting systems that duplicate vote specific data on removable data storage components at the time that the vote is recorded, either the internal back-up storage memory itself or a digital duplicate of the original internal back-up storage memory transferred onto a removable storage medium. (Such procedures must ensure that the data is admissible as evidence as a duplicate original and would include post election transfers to removable storage media that have been verified by comparison to the original storage media to a one-bit variance, and that are accompanied by hard copy documentation containing the identity of the personnel and the procedures used to perform the data transfer);

q.       Reports produced by voting devices at the opening and closing of polls;

r.        Records of service and maintenance to voting equipment at the polling place;

s.       All vote-counting software; and

t.        All audit trail records.

The above listing does not include required administrative items that are not elements of the voting system itself.

2.3                     Pre-voting Functions

This section defines capabilities required to support functions performed prior to the opening of polls. All voting systems shall provide capabilities to support:

¨       Ballot preparation;

¨       Election programming;

¨       Ballot and program installation and control;

¨       Readiness testing;

¨       Verification at the polling place; and

¨       Verification at the central counting place.

The standards also include requirements to ensure compatible interfaces with the ballot definition process and the reporting of election results.

2.3.1            Ballot Preparation

Ballot preparation is the process of using election databases to define the specific contests, questions, and related instructions to be contained in ballots and to produce all permissible ballot layouts. Ballot preparation requirements include:

¨       General capabilities for ballot preparation;

¨       Ballot formatting; and

¨       Ballot production.

2.3.1.1            General Capabilities

All systems shall provide the general capabilities for ballot preparation.

2.3.1.1.1            Common Standards

All systems shall be capable of:

a.       Enabling the automatic formatting of ballots in accordance with the requirements for offices, candidates, and measures qualified to be placed on the ballot for each political subdivision and election district;

b.       Collecting and maintaining the following data:

1)      Offices and their associated labels and instructions;

2)      Candidate names and their associated labels; and

3)      Issues or measures and their associated text;

c.       Supporting the maximum number of potentially active voting positions as indicated in the system documentation;

d.       For a primary election, generating ballots that segregate the active voting positions by party affiliation;

e.       Generating ballots that contain identifying codes or marks uniquely associated with each format; and

f.        Ensuring that vote response fields, selection buttons, or switches properly align with the specific candidate names and/or issues printed on the ballot display, ballot card or sheet, or separate ballot pages.

2.3.1.1.2            Paper-Based System Standards

In addition to the common standards, paper-based systems shall meet the following standards applicable to the technology used:

a.       Enable voters to make selections by punching a hole or by making a mark in areas designated for this purpose upon each ballot card or sheet;

b.       For punchcard systems, ensure that the vote response fields can be properly aligned with punching devices used to record votes; and

c.       For marksense systems, ensure that the timing marks align properly with the vote response fields.

2.3.1.2            Ballot Formatting

Ballot formatting is the process by which election officials or their designees use election databases and vendor system software to define the specific contests and related instructions contained on the ballot and present them in a layout permitted by state law. All systems shall provide a capability for:

a.       Creation of newly defined elections;

b.       Rapid and error-free definition of elections and their associated ballot layouts;

c.       Uniform allocation of space and fonts used for each office, candidate, and contest such that the voter perceives no active voting position to be preferred to any other;

d.       Simultaneous display of the maximum number of choices for a single contest as indicated by the vendor in the system documentation;

e.       Retention of previously defined formats for an election;

f.        Prevention of unauthorized modification of any ballot formats; and

g.       Modification by authorized persons of a previously defined ballot format for use in a subsequent election.

2.3.1.3            Ballot Production

Ballot production is the process of converting ballot formats to a media ready for use in the physical ballot production or electronic presentation.

2.3.1.3.1            Common Standards

The voting system shall provide a means of printing or otherwise generating a ballot display that can be installed in all system voting devices for which it is intended. All systems shall provide a capability to ensure:

a.       The electronic display or printed document on which the user views the ballot is capable of rendering an image of the ballot in any of the languages required by The Voting Rights Act of 1965, as amended;

b.       The electronic display or printed document on which the user views the ballot does not show any advertising or commercial logos of any kind, whether public service, commercial, or political, unless specifically provided for in State law. Electronic displays shall not provide connection to such material through hyperlink; and

c.       The ballot conforms to vendor specifications for type of paper, stock, weight, size, shape, and ink for printing if paper ballot documents or paper displays are part of the system.

2.3.1.3.2            Paper-Based System Standards

In addition to the common standards, vendor documentation for marksense systems shall include specifications for ballot materials to ensure that vote selections are read from only a single ballot at a time, without detection of marks from multiple ballots concurrently (e.g., reading of bleed-through from other ballots).

2.3.2            Election Programming

Election programming is the process by which election officials or their designees use election databases and vendor system software to logically define the voter choices associated with the contents of the ballots. All systems shall provide for the:

a.       Logical definition of the ballot, including the definition of the number of allowable choices for each office and contest;

b.       Logical definition of political and administrative subdivisions, where the list of candidates or contests varies between polling places;

c.       Exclusion of any contest on the ballot in which the user is prohibited from casting a ballot because of place of residence, or other such administrative or geographical criteria;

d.       Ability to select from a range of voting options to conform to the laws of the jurisdiction in which the system will be used; and

e.       Generation of all required master and distributed copies of the voting program, in conformance with the definition of the ballots for each voting device and polling place, and for each tabulating device.

2.3.3            Ballot and Program Installation and Control

All systems shall provide a means of installing ballots and programs on each piece of polling place or central count equipment in accordance with the ballot requirements of the election and the requirements of the jurisdiction in which the equipment will be used.

All systems shall include the following at the time of ballot and program installation:

a.       A detailed work plan or other documentation providing a schedule and steps for the software and ballot installation, which includes a table outlining the key dates, events and deliverables;

b.       A capability for automatically verifying that the software has been properly selected and installed in the equipment or in a programmable memory devices and for indicating errors; and

c.       A capability for automatically validating that software correctly matches the ballot formats that it is intended to process, for detecting errors, and for immediately notifying an election official of detected errors.

2.3.4            Readiness Testing

Election personnel conduct equipment and system readiness tests prior to the start of an election to ensure that the voting system functions properly, to confirm that system equipment has been properly integrated, and to obtain equipment status reports.

2.3.4.1            Common Standards

All systems shall provide the capabilities to:

a.       Verify that voting machines or vote recording and data processing equipment, precinct count equipment, and central count equipment are properly prepared for an election, and collect data that verifies equipment readiness;

b.       Obtain status and data reports from each set of equipment;

c.       Verify the correct installation and interface of all system equipment;

d.       Verify that hardware and software function correctly;

e.       Generate consolidated data reports at the polling place and higher jurisdictional levels; and

f.        Segregating test data from actual voting data, either procedurally or by hardware/software features.

Resident test software, external devices, and special purpose test software connected to or installed in voting devices to simulate operator and voter functions may be used for these tests provided that the following standards are met:

a.       These elements shall be capable of being tested separately, and shall be proven to be reliable verification tools prior to their use; and

b.       These elements shall be incapable of altering or introducing any residual effect on the intended operation of the voting device during any succeeding test and operational phase.

2.3.4.2            Paper-Based Systems

Paper-based systems shall:

a.       Support conversion testing that uses all potential ballot positions as active positions; and

b.       Support conversion testing of ballots with active position density for systems without pre-designated ballot positions.

2.3.5            Verification at the Polling Place

Election officials perform verification at the polling place to ensure that all voting systems and equipment function properly before and during an election. All systems shall provide a formal record of the following, in any media, upon verification of the authenticity of the command source:

a.       The election's identification data;

b.       The identification of all equipment units;

c.       The identification of the polling place;

d.       The identification of all ballot formats;

e.       The contents of each active candidate register by office and of each active measure register at all storage locations (showing that they contain only zeros);

f.        A list of all ballot fields that can be used to invoke special voting options; and

g.       Other information needed to confirm the readiness of the equipment, and to accommodate administrative reporting requirements.

To prepare voting devices to accept voted ballots, all voting systems shall provide the capability to test each device prior to opening to verify that each is operating correctly. At a minimum, the tests shall include:

a.       Confirmation that there are no hardware or software failures;

b.       Confirm that the device is ready to be activated for accepting votes.

If a precinct count system includes equipment for the consolidation of polling place data at one or more central counting places, it shall have means to verify the correct extraction of voting data from transportable memory devices, or to verify the transmission of secure data over secure communication links.

2.3.6            Verification at the Central Location

Election officials perform verification at the central location to ensure that vote counting and vote consolidation equipment and software function properly before and after an election.

2.3.6.1            Printed Records

Upon verification of the authenticity of the command source, any system used in a central count environment shall provide a printed record of the following :

a.       The election's identification data;

b.       The contents of each active candidate register by office and of each active measure register at all storage locations (showing that they contain all zeros); and

c.       Other information needed to ensure the readiness of the equipment and to accommodate administrative reporting requirements.

2.4                     Voting Functions

All systems shall support:

¨       Opening the polls; and

¨       Casting a ballot.

Additionally, all DRE systems shall support:

¨       Activating the ballot.

¨       Augmenting the election counter; and

¨       Augmenting the life-cycle counter.

2.4.1            Opening the Polls

The capabilities required for opening the polls are specific to individual voting system technologies. At a minimum, the systems shall provide the functional capabilities indicated below.

2.4.1.1            Opening the Polling Place (Precinct Count Systems)

To allow voting devices to be activated for voting, the system shall provide:

a.       An internal test or diagnostic capability to verify that all of the polling place tests specified in Section 2.3.5 have been successfully completed; and

b.       Automatic disabling any device that has not been tested until it has been tested.

2.4.1.2            Paper-Based System Standards

The standards for opening the polling place for paper-based systems consist of common standards and additional standards that apply to precinct count paper-based systems.

2.4.1.2.1            All Paper-Based Systems

To facilitate opening the polls, all paper-based systems shall include:

a.       A means of verifying that ballot punching or marking devices are properly prepared and ready to use;

b.       A voting booth or similar facility, in which the voter may punch or mark the ballot in privacy; and

c.       Secure receptacles for holding voted ballots.

2.4.1.2.2            Precinct Count Paper-Based Systems

In addition to the above requirements, all paper-based precinct count equipment shall include a means of:

a.       Activating the ballot counting device;

b.       Verifying that the device has been correctly activated and is functioning properly; and

c.       Identifying device failure and corrective action needed.

2.4.1.3            DRE System Standards

To facilitate opening the polls, all DRE systems shall include:

a.       A security seal, a password, or a data code recognition capability to prevent the inadvertent or unauthorized actuation of the poll-opening function;

b.       A means of enforcing the execution of steps in the proper sequence if more than one step is required;

c.       A means of verifying the system has been activated correctly; and

d.       A means of identifying system failure and any corrective action needed.

2.4.2            Activating the Ballot (DRE Systems)

To activate the ballot, all DRE systems shall:

a.       Enable election officials to control the content of the ballot image presented to the voter, whether presented in printed form or video display, such that only authorized content is presented;

b.       Allow each eligible voter to cast a ballot;

c.       Prevent a voter from voting on a ballot to which he or she is not entitled; and

d.       Prevent a voter from casting more than one ballot in the same election.

e.       Activate the casting of a ballot in a general election;

f.        Enable the selection of the ballot that is appropriate to the party affiliation declared by the voter in a primary election;

g.       Activate all portions of the ballot upon which the voter is entitled to vote; and

h.       Disable all portions of the ballot upon which the voter is not entitled to vote.

2.4.3            Casting a Ballot

Some required capabilities for casting a ballot are common to all systems. Others are specific to individual voting technologies or intended use. Systems must provide additional functional capabilities that enable accessibility to disabled voters as defined in Section 2.2.7 of the Standards.

2.4.3.1            Common Standards

To facilitate casting a ballot, all systems shall:

a.       Provide a capability to adjust or magnify the font size on the ballot to at least 18 points;

b.       Protect the secrecy of the vote against known risks such that the content of the voted ballot may not be viewed by any unauthorized individuals;

c.       Protect the secrecy of the vote such that the content of the voted ballot may not be associated with the voter at any time, except to support the processing of provisional ballots, or as required by individual state law;

d.       Record the selection and non-selection of individual vote choices for each contest and ballot measure;

e.       Record the voter’s selection of candidates whose names do not appear on the ballot, if applicable under State law, and record as many write-in votes as the number of candidates the voter is allowed to select;

f.        Provide the capability for the voter to cast a ballot in the event of a failure of power supply external to the voting system; and

g.       Provide the capability for the voter to cast a ballot in the event of a failure of a telecommunications connection between the polling place and any other location.

2.4.3.2            Paper-Based Systems Standards

The standards for casting a ballot for paper-based systems consist of common standards and additional standards that apply to precinct count paper-based systems.

2.4.3.2.1            All Paper-Based Systems

All paper-based systems shall:

a.       Allow the voter to easily identify the voting field that is associated with each candidate or ballot measure response;

b.       Allow the voter to punch or mark the ballot to register a vote;

c.       Allow either the voter or the appropriate election official to place the voted ballot into the ballot counting device (for precinct count systems) or into a secure receptacle (for central count systems); and

d.       Protect the secrecy of the vote throughout the process.

2.4.3.2.2            Precinct Count Paper-Based Systems

In addition to the above requirements, all paper-based precinct count systems shall:

a.       Provide feedback to the voter that identifies specific contests or ballot issues for which an overvote or underrate is detected;

b.       Allow the voter, at the voter’s choice, to vote a new ballot or submit the ballot ‘as is’ without correction; and

c.       Allow an authorized election official to turn off the capabilities defined in ‘a’ and ‘b’ above.

2.4.3.3            DRE Systems Standards

In addition to the above common requirements, DRE systems shall:

a.       Prohibit the voter from accessing or viewing any information on the display screen that has not been authorized by election officials and preprogrammed  into the voting system (i.e., no potential for display of external information or linking to other information sources);

b.       Enable the voter to easily identify the selection button or switch, or the active area of the ballot display that is associated with each candidate or ballot measure response;

c.       Allow the voter to select his or her preferences on the ballot in any legal number and combination;

d.       Indicate that a selection has been made or canceled;

e.       Indicate to the voter when no selection, or an insufficient number of selections, has been made in a contest;

f.        Prevent the voter from overvoting;

g.       Notify the voter when the selection of candidates and measures is completed;

h.       Allow the voter, before the ballot is cast, to review his or her choices and, if the voter desires, to delete or change his or her choices before the ballot is cast;

i.         Prompt the voter to confirm the voter's choices before casting his or her ballot, signifying to the voter that casting the ballot is irrevocable and directing the voter to confirm the voter’s intention to cast the ballot;

j.         Notify the voter after the vote has been stored successfully that the ballot has been cast;

k.       Notify the voter that the ballot has not been cast successfully if it is not stored successfully, including storage of the ballot image, and provide instruction to the voter as to the steps the voter should take to cast his or her should this event occur;

l.         Provide sufficient computational performance to provide responses back to each voter entry in no more than ten seconds;

m.     Ensure that the votes stored accurately represent the actual votes cast;

n.       Prevent modification of the voter’s vote after the ballot is cast;

o.       Record an image of the ballot cast in a form readable by humans (in accordance with the requirements of Section 2.2.2.2.2);

p.       Increment the proper ballot position registers or counters;

q.       Protect the secrecy of the vote throughout the voting process;

r.        Prohibit access to voted ballots until after the close of polls;

s.       Provide the ability for election officials to submit test ballots for use in verifying the end-to-end integrity of the system; and

t.        Isolate test ballots such that they are accounted for accurately in vote counts and are not reflect in official vote counts for specific candidates or measures.

2.5                     Post-Voting Functions

All systems shall provide capabilities to accumulate and report results for the jurisdiction and to generate audit trails. In addition, precinct count systems must provide a means to close the polling place including generating appropriate reports. If the system provides the capability to broadcast results, additional standards apply.

2.5.1            Closing the Polling Place (Precinct Count)

These standards for closing the polling place are specific to precinct count systems. The system shall provide the means for:

a.       Preventing the further casting of ballots once the polling place has closed;

b.       Providing an internal test that verifies that the prescribed closing procedure has been followed, and that the device status is normal;

c.       Incorporating a visible indication of system status;

d.       Producing a diagnostic test record that verifies the sequence of events, and indicates that the extraction of voting data has been activated; and

e.       Precluding the unauthorized reopening of the polls once the poll closing has been completed for that election.

2.5.2            Consolidating Vote Data

All systems shall provide a means to consolidate vote data for each of the following sources and cumulatively across all sources:

a.       From all polling places;

b.       From absentee ballots; and

c.       From other sources supported by the system as specified by the vendor, such as early voting.

2.5.3            Producing Reports

All systems shall be able to create reports summarizing the data on multiple levels.

2.5.3.1            Common Standards

All systems shall:

a.       Be able to support geographic reporting, which requires the reporting of all results for each contest at the precinct level and additional jurisdictional levels;

b.       Produce a printed report of the number of ballots counted by each tabulator;

c.       Produce a printed report for each tabulator of the results of each contest that includes the votes cast for each selection, the count of undervotes and the count of each combination of overvotes (e.g. the number of overvotes combining candidate A and candidate B, combining candidate A and candidate C, etc.) and total overvotes;

d.       Produce a consolidated printed report of the results for each contest of all votes cast (including absentee ballots) that includes the votes cast for each selection, the count of undervotes, the count of overvotes, and the count of each combination of overvotes (e.g. the number of overvotes combining candidate A and candidate B, combining candidate A and candidate C, etc.);

e.       Produce all system audit information required in Section 4.5 in the form of printed reports, or in electronic memory for printing centrally; and

f.        Prevent data from being altered or destroyed by report generation, or by the transmission of results over telecommunications lines.

2.5.3.2            Precinct Count Systems

In addition to the common reporting requirements, all precinct count voting systems shall:

a.       Prevent the printing of reports or the extraction of data prior to the official close of the polling place;

b.       Provide a means to extract information from a transportable programmable memory device or data storage medium for vote consolidation;

c.       Consolidate the data contained in each unit into a single report for the polling place when more than one voting machine or precinct tabulator is used; and

d.       Prevent data in transportable memory from being altered or destroyed by report generation, or by the transmission of results over telecommunications lines.

2.5.4            Broadcasting Results

Some voting systems offer the capability to make unofficial results available to external organizations such as the news media, political party officials, and others. Although this capability is not required, systems that make unofficial results available shall:

a.       Provide only aggregated results, and not data from individual ballots;

b.       Provide no access path from unofficial electronic reports or files to the storage devices for official data; and

c.       Clearly indicate on each report or file that the results it contains are unofficial.

2.6                     Maintenance, Transportation, and Storage

All systems shall be designed and manufactured to facilitate preventive and corrective maintenance, conforming to the hardware standards described in Section 3.

All vote casting and tally equipment designated for storage between elections shall:

a.       Function without degradation in capabilities after transit to and from the place of use, as demonstrated by meeting the performance standards described in Section 3; and

b.       Function without degradation in capabilities after storage between elections, as demonstrated by meeting the performance standards described in Section 3.