The ES&S iVotronic is a direct recording electronic voting system with a touch screen interface that records votes on internal flash memory. A poll worker uses a device called a Personal Electronic Ballot (PEB) to turn the machine on and enable voting. Voters choose their ballot language and then make their selections using a touch screen, much in the same way that modern ATMs work. When the polls close, poll workers move summary data from each machine onto the PEB. The PEBs are then transported to election headquarters or their contents transmitted via a computer network.

The iVotronic uses two distinct types of iVotronic terminals, distinguished by colored inserts along the sides: red supervisor terminals and blue voter terminals. Both types of iVotronic terminals are activated using PEBs, which are also used to store ballot definitions and election results. PEBs are typically programmed via a supervisor terminal at the start of an election, and read using either a supervisor terminal or a dedicated PEB Reader connected to the machine running the Election Reporting Manager at the end of an election. A PEB can be used in multiple iVotronics as long as they are qualified for the same election and polling place. The voter iVotronics also use Compact Flash cards to store large ballots, audio ballots, and election result audit files. A separate Communication Pack is connected to iVotronic terminals at the start and end of elections to print zero count tallies and precinct results on a separate printer with removable paper.

Checking the Voter-Verifiable Paper Trail: The iVotronic has an optional voter-verifiable paper trail (VVPAT) printer, known as the Real-Time Audit Log (RTAL). States such as Ohio, West Virginia, and North Carolina require the RTAL by law, while iVotronics in South Carolina, Texas, and Pennsylvania do not have this option. The RTAL printer is a reel-to-reel cash-register type of printer that displays a printout under transparent plastic, which is located just to the left of the touch screen. The RTAL records all of the voter’s actions, so if a voter changes their mind about a contest on the ballot, the RTAL records both the initial choice and the final choice.

While all other VVPAT schemes wait to print the paper record until the voter has completed the entire ballot, the ES&S RTAL prints each selection at the time it is made. Thus, whenever a voter touches the screen to select a candidate, the printer immediately prints that selection. The advantage is immediate feedback to the voter, if the voter happens to watch the printout. The disadvantage is that in the event the voter makes any changes, all the voter’s previous selections have been retained. In a recount or audit of the paper records, only the last vote recorded for each race should be counted. The inclusion of prior selections can make ballot verification of RTALs challenging for voters, and manual counting of RTALs even more difficult for election officials.

The RTAL also does not provide the voter with the opportunity to review all their selections on the paper record at the end of the voting process, as by that point the paper has spooled out of view. With this system it is important that the voter check the paper record throughout the voting process.

When the voter enters the polling place, a poll worker first confirms the voter is registered. The poll worker walks with the voter to an iVotronic and inserts the PEB in the PEB slot, which is a rectangular slot in the upper left corner of the machine. The PEB communicates with the iVotronic using infrared signals, much like a TV remote control works, except that the PEB and iVotronic will not communicate unless the PEB is completely inserted. If the election requires a party-specific ballot, the poll worker chooses this for the voter. Activation by the PEB enables the iVotronic to vote once.

The voter selects a ballot language and makes decisions using the touch screen. When the voter is done, the voter presses a small “vote” button at the very top of the iVotronic to cast the vote. The vote is then recorded to three internal flash memories that reside inside the machine. A fourth memory is a removable card, called a “compact flash” (CF) card, which is the same technology used in many digital cameras to store photos. During the election, the CF card holds audio files for those with visual disabilities and ballot definitions. Vote data is written to the CF card when the machine is closed.

A poll worker closes the polls by using the PEB with a password to enter a supervisor menu on each iVotronic. After closing the election for a given machine, summary vote data is transmitted to the PEB via infrared signals. After the PEB is used to close all the iVotronic machines, it contains all the summary data for the precinct. Depending on local regulations and procedures, poll workers can use a “printer kit” at this point to print the result summary from the PEB on to paper. The PEB for that precinct, any printouts, and the CF cards are then either physically transported to a central tabulation facility or its contents sent over a computer network using a laptop running ES&S’ Unity software.

A Voting Demo of the ES&S iVotronic

Burke County NC iVotronic Voting Machines

ES&S iVotronic usage in November 2022 (click map for details)

Resources

Unsafe for Any Ballot Count: A Computer Scientist’s Look at the ES&S iVotronic in Light of Reports from Ohio, California, and Florida, Duncan Buell for the South Carolina League of Women Voters (2008)
Ohio Secretary of State Evaluation and Validation of Election-Related Equipment, Standards and Testing (EVEREST) Final Report (2007)
EVEREST ES&S Executive Summary (2007)
EVEREST ES&S Technical Manager Report (2007)
EVEREST ES&S Technical Details Report (2007)
SysTest Labs Technical Report (2007)
Software Review and Security Analysis of the ES&S iVotronic 8.0.1.2 Voting Machine Firmware, SAIT Lab (2007)
Security Evaluation of ES&S Voting Machines and Election Management System, Adam Aviv et al,USENIX (2007)
Security and Reliability of Webb County’s ES&S Voting System and the March ‘06 Primary Election, Dan Wallach (2006)
Douglas W. Jones Miami-Dade Recommendations (2003)

ersonal Electronic Ballot (PEB) Slot

The PEB slot on the face of the iVotronic is particularly sensitive. The EVEREST study showed that a voter with a magnet and a properly programmed PDA (with an infrared port) could gain privileged access to the sensitive functions of the machine. If you see anyone spending a long time in an iVotronic voting booth and engaging in activity that appears to be centered around the upper-left part of the iVotronic, they might be messing with the PEB slot. Of course, they might also just be voting, so don’t cry wolf.

The VVPAT printer (RTAL printer) is connected to the iVotronic via a cable that is connected to the top of the machine. This cable, unless the jurisdiction has purchased special cables or connectors, can be disconnected by a voter and various types of mischief could be performed (from printing extra VVPAT records to messing with the internals of the iVotronic). If you observe anyone disconnecting this cable, alert the pollworkers immediately. If a pollworker is disconnecting this cable, it should only be to swap out a printer and you should be able to observe the whole process.

An attacker who gains access to a PEB for a short or extended period of time can change votes on the PEB or attack the central Election Management System when the PEB is returned to election headquarters. PEB devices should only be handled by pollworkers and pollworkers should keep a vigilant watch over their use of the PEBs throughout the day (that is, they should not be leaving them around casually and the area in which the PEBs are kept should be secure and monitored at all times).