Hart Intercivic

Hart Intercivic eScan & eScan AT

Make / Model: Hart Intercivic eScan
Equipment Type: Optical Scan

Overview

The Hart InterCivic eScan is ballot scanning device. It is used to support polling locations with voters who hand-mark paper ballots (typically distributed at the polling place check-in station) and then hand-feed the paper ballots into the scanner, in order to cast the ballot. Ballots can be inserted into the eScan in multiple orientations: face up, face down, header first, or footer first. The device simultaneously scans the front and back of a paper ballot, interprets voter marks, and communicates any issues that require the voter’s attention back to the voter through an LCD display. For example, if the voter has marked too many choices in a race, the display lets the voter know this and offers the option to return the ballot for correction, or to cast the ballot. The eScan can also be configured to return ballots with too few choices, or entirely blank ballots.

Because the eScan device is a scanning device only, and does not have features that support marking choices on ballots, features that may be helpful to voters with disabilities are limited; the eScan is not marketed as an “accessible voting device.” It does not have an audio-tactile controller, for example, and its audio features are limited to only making different “beeps” or “bell” sounds as ballots are scanned, or returned to the voter when marks require additional attention.

After voters insert their marked paper ballots into the eScan device, they will have a chance to review any potential mismarks that require attention. When voters cast ballots, the eScan scanner pulls the ballot through a motorized feed and deposits the ballots into an integrated ballot box. The eScan device has tabulating capabilities, and when the polls close, the eScan can print out the race results and other information on a paper tape (if configured to do so).

Overview

Hart InterCivic eScan A/T

The Hart InterCivic eScan A/T is a ballot scanning device that has been used statewide in Oklahoma since 2012. The device was custom-engineered to Oklahoma’s preferred specifications.

eScan A/T is used to support polling locations with voters who hand-mark paper ballots (typically distributed at the polling place check-in station) and then hand-feed the paper ballots into the scanner, in order to cast the ballot. Ballots can be inserted into the eScan A/T in multiple orientations: face up, face down, header first, or footer first. The device simultaneously scans the front and back of a paper ballot, interprets voter marks, and communicates any issues that require the voter’s attention back to the voter through an LCD display. For example, if the voter has marked too many choices in a race, the display lets the voter know this and offers the option to return the ballot for correction, or to cast the ballot. The eScan can also be configured to return ballots with too few choices, or entirely blank ballots.

For voters with disabilities, the eScan A/T also offers additional accessible voting features, through an Audio Tactile Interface (ATI) that is tethered to the scanning device. This “game controller” style ATI module has buttons that permit voters with visual, dexterity, or cognitive impairments to mark choices through an audio ballot session. It can also accommodate sip-n-puff or paddle switches for voters with manual dexterity impairments.

It is important to note that although eScan A/T accepts hand-marked paper ballots from most voters, the ATI accessible voting experience is audio only; it does not have a corresponding visual display, and it does not produce a paper record of the voter’s choices. Instead, at the conclusion of the ATI session, the voter’s ballot is recorded directly into the eScan’s memory, like a DRE electronic voting device. While a voter is using the ATI device, other voters may continue voting and may insert their paper ballots into the eScan A/T at any time.

After voters insert their marked paper ballots into the eScan A/T device, they will have a chance to review any potential mismarks that require attention. When voters cast ballots, the scanner pulls the ballot through a motorized feed and deposits the ballots into an integrated ballot box. The eScan A/T device has tabulating capabilities, and when the polls close, the eScan A/T can print out the race results and other information on a paper tape (if configured to do so).

Voting Process

After checking in at the polling place and receiving her ballot from a poll worker, the voter proceeds to a voting booth.

The voter should use a blue or black pen fill in the box to the left of her choice completely as shown on the left. To vote for a write-in candidate, the voter must fill in the box completely next to the words “Write-In” and write the candidate’s name on the line provided.

The voter should not mark more choices than allowed. If you make a mistake, ask an election officer for a new ballot. (The old ballot will be voided.)

When you finish marking her ballot the voter takes it to the eScan. If the eScan displays the “Ready to Scan message, the voter may her ballot into the ballot feed slot. The eScan will scan ballots inserted in any orientation and reads both sides of a double-sided ballot at the same time.

If the ballot has improperly marked contests, information screens appear for each contest that requires attention, identifying the contest name and the type of improper mark(s) detected.

An overvote occurs when too many options marked for a contest, while an undervote indicates that too few options have marked. A blank ballot notification occurs when no options are marked on the entire ballot.

To see information about the next contest not properly marked, the voter may selectNext Contest. To cast the ballot as-is, the voter may choose that option or the voter may request assistance from a pollworker.

After the ballot is cast the “Scanning Ballot” screen displays as the eScan accepts the ballot and displays a waving American flag to indicate that the ballot has been recorded.

Videos

An Instructional video on the eScan from Hart Intercivic

An eScan pollworker video from Nevada County CA

Security Concerns

Unsecured Network Interfaces

Network interfaces in the Hart system are not secured against direct attack. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-office functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more units in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs
in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.

Vulnerability to Malicious Inputs

Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to confirm it in an end-to-end test.

No or Insecure Use of Cryptography

The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we iound a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.

Failure to Protect Ballot Secrecy

Hart’s system fails to adequately protect ballot secrecy. A poll worker or election official with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted.

Manufacturer Profile

Hart Intercivic

15500 Wells Port Drive
Austin, TX 78728
Phone: 512.252.6400, 800.223.HART
Fax: 512.252.6466

hartintercivic.com

Hart entered the elections industry in 1912, printing ballots for Texas counties. The company, formerly a division of Hart Graphics, Inc., was established as a subsidiary called Hart Forms & Services in 1989, which, in 1995, changed its name to Hart Information Services, Inc. During the next five years, Hart Information Services acquired three election services providers: Texas County Printing & Services, Computer Link Corporation, and Worldwide Election Systems. Worldwide was the developer of the eSlate, Hart’s direct recording electronic (DRE) voting solution. In 1999, the company spun off completely from Hart Graphics and in 2000, the company became Hart InterCivic Inc.

References