~ ~ Via`(
Elections Division
P.O. Box 12060
Austin, Texas 78711-2060
www.sosstate.tx.us
November 10, 2005
The Honorable Jannett Pieper
Kerr County Clerk
700 Main St., Suite 122
Kerrville, Texas 78028
Dear Ms. Pieper:
The State of Texas
~~-\
~~~~ >i
~~/ 4
:`\
\ ~-~~
Roger Williams
Secretary of State

Phone:512-463-5650
Fax: S12-475-2811
Dial 7-1-1 For Relay Services
(800) 252-VOTE (8683)
We are in receipt of a copy of the proposed contract between Kerr County and Hart InterCivic,
Inc. ("Hart"), which you have submitted to the Secretary of State pursuant to Section 123.035 of
the Texas Election Code. Tex. Elec. Code Ann. § 123.035 (Vernon Supp. 2005).
The contract indicates the county plans to acquire components of Hart's Voting System 5.0. The
components being acquired include JBC version 3.1.3, Tally version 4.1.4, eCM version 1.0.7,
Servo version 4.0.13, eScan version 1.0.10, and multiple eSlates with version 3.1.3. Some of the
eSlates include the Disabled Access Unit (DAU) upgrade.
This letter will serve as confirmation from our office that these systems are currently certified for
use in Texas. Enclosed is a copy of the certification for Hart's Voting System 5.0. We therefore,
officially, approve the submitted contract for the purchase of these systems.
If you need additional information, please contact the Elections Division toll-free at 1-800-252-
2216.
Sincerely,
Ann McGeehan
Director of Elections
AMID
Enclosure: System 5.0 Certification
Elections Division
P.O. Box 12060
Austin, Texas 78711-2060
www.sosstate.tx.us
Phone:512-463-5650
Fax: 512-475-2811
Dial 7-1-1 For Relay Services
(800) 252-VOTE (8683)
REPORT OF REVIEW OF HART INTERCFVIC'S VOTING SI'STEM 5.0
PRELIMINARY STATEMENT
On May 25, 2005, Hart Intercivic (the "Vendor") presented Voting System 5.0 for examination and
certification. The examination was conducted in Austin, Texas. Pursuant to Sections 122.035(a)
and (b) of the Texas Election Code, the Secretary of State appointed the following examiners:
1. Mr. Nick Osbom, an expert in software systems;
2. Mr. Tom Watson, an expert in electronic data communication systems;
3. Mr. Barney Knight, an expert in election ]aw and procedure; and
4. Mr. Glenn Glover, an expert in electronic data communication systems.
Pursuant to Section 122.035(a), the Texas Attorney General appointed Dr. Jim Sneeringer, an
expert in electronic data communication systems.
The Vendor first demonstrated the system; the examiners then examined its accuracy and security
features. Examiner reports on the system aze attached hereto and incorporated herein by this
reference.
BRIEF DESCRIPTION OF HART INTERCIVIC VOTING SYSTEM 5.0
Hart InterCivic's Voting System 5.0 supports both paper ballots and electronic voting. The
systems applications execute on a standazd PC configured with a Windows 2000 Professional
Operating System. Below is a list of all certified components of the system:',
Corn onent	Version	Descri tion
BOSS	4.1.9	Ballot Origination Software System used to
		define the election.
Ballot Now	3.1.10	Pa er ballot mana ement s stenh.
Rally	2.1.4	Application used to send election results
		from satellite locations.
Tall	4.1.4	A lication used to tabulate election results.
eCM	1.0.7	Electronic C to Module Man er
Servo	4.0.13	Election-records and recount-management
		s stem
JBC	3.1.3	Judges Booth Controller. The controller unit
		for up to 12 eSlate/DAU units. The
		controller unit is used to ge>iterate access
		codes for the voter.
eSlate	3.1.3	Direct recording electronic voting system
		DRE
eScan	1.0.10	Precinct based scanner used for election day
		and absentee votin .
NATIONAL ASSOCIATION OF STATE ELECTION DIltECTORS (NASED)
QUALIFICATION NUMBER
Hart InterCivic's Voting System 5.0 was qualified by the NASED on October 18, 2005, under the
designation N-1-04-22-22-003.
FINDINGS
The following are the findings, based on oral evidence presented at the examination to our
examiners, written evidence submitted by the Vendor in support of its application for certification,
and the findings of our voting system examiners as set out in their written repo4ts.
Hart InterCivic Voting System 5.0:
1. Preserves the secrecy of the ballot;
2. Is suitable for the purpose for which it is intended;
3. Operates safely, efficiently, and accurately;
4. Is safe from fraudulent or unauthorized manipulation;
5. Permits voting on all offices and measures to be voted on at the election;
6. Prevents counting votes on offices and measures on which the voter is not entitled
to vote;
7. Prevents counting votes by the same voter for more than one candidate for the same
office or, in elections in which a voter is entitled to vote For mdre than one candidate
for the same office, prevents counting votes for more than the number of candidates
for whom the voter is entitled to vote;
8. Prevents counting a vote on the same office or measure more than once;
9. Permits write-in voting;
10. Is capable ofperrnitting straight-parry voting;
11. Is capable of providing records from which the operation o~ the system may be
audited; and
12. Is capable of reporting undervotes.
CONCLUSION
Accordingly, based upon the foregoing, I hereby certify the Hart InterCivic Voting System 5.0 for
use in elections in Texas. ~ h n
Signed under my hand and seal of office, this (/~ day of ~/~ 3005.
~ '~
BUD Y G CIA
DEPUTY SECRETARY OF STATE
Barney Knight
& Associates
Tel: (512)323-5]]B
Fu: (512) 323-5]]3
www.dryattomeytcxm.com
ettomeye©ciryetmmey[exas.cmn
Attorneys at Law
Executive Office Terrace
223 West Anderson Lane, Suite A-105
Austin, Texas 78752
June 2, 2005
Ann McGeehan
Deputy Assistant
Secretary of State
P.O. Box 12060
Austin, Texas 78711-2060
F~ld~~: C i~,r ~. i~

ELEGi:{'id'i:i i7i'~+iSi~a'ra nameyL~ICnnight
SECRETARY ~E STATE Pueae H. Simz
Cherlex K. Eldred
Re: Hart Intercivic, Inc. ("Hart") Tally v4.1.1; Rally
v2.l.l; Ballot Origination Software System v4.1.4; Ballot
Now v3.1.0; eSlate v3.1.3; Judges Booth Controller
v3.1.3; eCM Manager v1.07; eScan v1.03; and SERVO v4.0.2
(collectively the "Voting System" or "System").
Dear Ms. McGeehan:
Pursuant to my service as an examiner under §122.035, Texas
Election Code, I examined the Voting System as it was presented by
Hart for examination. The examination and testing with respect to
Texas Election Law and procedure was conducted on May 25, 2005.
This report is concerned solely with the ability of the Voting
System and each of the individual components to function in
compliance with Texas Election Law. This report is based on the
presentation and statements by Hart, and the testing completed by
the examiners on May 25, 2005. Hart gave a presentation and
overview, and the examiners then conducted an examination by
observing the operation of the Ballot Origination Software, Ballot
Now, and casting ballots and observing the functions of the voting
devices, the Judges Booth Controller, eSlate, and the tabulation
and reporting of votes. Hart stated that various upgrades,
including multiple security upgrades, had been made to the software
and the various components of the System.
More specifically, Hart represented that a systematic review and
assessment of security had been made resulting in many security
improvements, including both physical and software. At the
precinct level voting can proceed via either, or both, the Ballot
Now system or the eSlate and Judges Booth Controller. Both
appeared to correctly accept, store and report votes cast. One
example security enhancement, in addition to software encryption
and password use, includes the use of a USB key. This key was
represented to be required for any use with BOSS, Ballot Now, Tally
Ann McGeehan 2
Deputy Assistant
Secretary of State
Hart Intercivic
June 2, 2005
and Rally, and most of the examination of the Voting System was
undertaken under that representation. However, it later appeared
such representation was not accurate.
Hart represented that the election administrator must assign a PIN
to the USB key, i.e. jurisdiction specific security; the election
administrator may create a key for the Voting System or for the
individual election, or both, and that use of such keys is required
for use or operation of BOSS, Ballot Now, Tally and Rally.
Generally stated, codes within the USB Key must match codes within
the precinct controller, the administrator's PIN and password.
These are transferred to eSlate, and the USB key functions between
the application programs and the data base. These codes and PINS
must match for the equipment/software to function,l and two keys
may be required, i.e. one for the System and one for the election.
The security begins with the building security, includes securing
the USB keys, equipment and software, and continues with the
matching codes, PINS, user IDs and passwords. The ability of the
jurisdiction to keep the Voting System and the USB keys under
physical security, create keys for both the system and the
election, and to require both encrypted identification numbers and
passwords, appeared to provide security given the representation
the keys were required for any operation of BOSS, Ballot Now, Tally
and Rally. However, the discovery that some functions did not
require the use of a USB keyz together with the discovery of a
"utility" program that can modify election results without leaving
a real audit trail, raised additional security issues.
For the purposes of my reports, this examiner generally assumes the
presentations made and the final responses by vendor
representatives to questions presented are truthful and correct.
I recognize, however, that inadvertent misstatements may occur.
Such representations of fact are essential to the validity of the
examinations as conducted and are as important as the observation
of the Voting System in operation. Here, it appears one or more
misstatements by Hart (or misinterpretations by this examiner) may
1 This was the representation by Hart. However, late in the examination a
fact issue was presented when it appeared the USB key is only required for certain
functions of these increments of the Voting System. The examination of BOSS, Ballot
Now, Tally and Rally under an erroneous understanding of the facts results in this
examiner not having confi dence that all applicable security issues were resolved.
Further, such components require examination as to their function when the USB key
is not in use.
Z In addition to the security issue, the operation of the functions of these
components (that would operate without the USB key) were not tested without the key
being in use. This results in portions of the System as presented for examination
not being fully examined as available for use in an election, i.e. without the use
of the USB key on all the functions of BOSS, Ballot Now, Tally and Rally.
Ann McGeehan 3
Deputy Assistant
Secretary of State
Hart Intercivic
June 2, 2005
have resulted in one or more security issues remaining unresolved.
I was able to make observation and testing of one configuration of
the Voting System in the conduct of an election. Based on the
written materials, the presentations and representations of fact by
Hart, the testing made by casting and tabulating votes, and efforts
during such process to afford the Voting System (as configured when
examined) the opportunity to function other than as represented by
Hart, the function and accuracy of the Voting System as configured
when examined appeared to be adequate and in compliance with the
Texas Election Code subject to all security issues being
satisfactorily resolved. Further, it appears that satisfactory
resolution of the security issues and related facts will resolve
remaining issues as to the entire System.
During the conduct of the examination and the operation of the
Voting System as a whole, several unresolved questions regarding
security functions were raised. These specific issues were
unresolved because Hart indicated it could not respond
appropriately in an open session because of security and
proprietary issues. In addition to those issues, there are two
additional material issues that should be resolved in the follow-up
session, i.e. the existence of the "utility program" that is not
part of the Voting System and the clear facts regarding required
use of the USB key.
The major components of the Voting System are Tally v4.1.1; Rally
v2.l.l; Ballot Origination Software System v4.1.4; Ballot Now
v3.1.0; eSlate v3.1.3; Judges Booth Controller v3.1.3; eCM Manager
v1.07; eScan v1.03; and SERVO v4.0.2. BOSS, eSlate, Ballot Now and
the Controller. These appear to be configured and to function in
substantially the same manner as previously certified. Subject to
the resolution of the referenced fact and security issues in an
executive or regular session with all increments of the Voting
System present and available for confirmation of security issues,
the Voting System may be in compliance with Chapt. 122, Subchapt.
A, Texas Election Code, and suitable for use in an election.
Special Consideration
The examination may have been compromised somewhat by Hart's
reticence, given the public presence during the examination. Some
responses appeared to be worded, limited or influenced by concerns
for security and proprietary issues. As a result, a follow-up
session is warranted.
Recommendation
I do not recommend the Secretary certify the Voting System at this
time. Rather, I recommend the Secretary continue the examination
Ann McGeehan 4
Deputy Assistant
Secretary of State
Hart Intercivic
June 2, 2005
(that was commenced on May 25th with a supplementary regular, or
executive, session. It is recommended such session be held as an
extension of the first session for the purpose of completing the
examination of the Voting Systems as to certain security matters.
During this subsequent session, I recommend the Secretary require
Hart to present all parts and increments of the Voting System for
an abbreviated additional examination and testing as to security.
In addition, I recommend the Secretary require Hart to provide
information on the "utility" software program and to demonstrate
its use, propose safeguards against unauthorized and improper use,
and, when used, to create a clear audit trail of that use.
If a supplementary session is held, I will be pleased to make a
final recommendation promptly following that session. Absent a
supplemental, follow-up session, and resolution of security issues,
I recommend the Secretary not certify the Voting System.
V y truly yours,
Bar Kn ht
Voting System Examination
Hart InterCivic
Prepared for the
Secretary of State of Texas
James Sneeringer, Ph.D.
Designee of the Attorney General
This report conveys the findings of the Attorney General's designee from an examination of the
equipment listed, pursuant to Title 9, Chapter 122 of the Texas Election Code, section
122.036(b).
Examination Date	May 25, 2005
Report Date	June 13, 2005.
Com onent	Version	NASED Number
Ballot Ori 'nation Softwaze S stem (BOSS	4.1.4	Not	eta	roved
Ballot Now: Pa er Ballots	3.10	Not	eta	roved
Tall Vote Tabulation S stem	4.1.1	Not	eta	roved
Rall Vote Transfers to Tall	2.1.1	Not	eta	roved
Servo Warehouse Software	4.0.2	Not	eta	roved
Electronic Cr to Module eCM	1.0.7	Not yet a	roved
eSlate Votin Station	3.1.3	Not	eta	roved
Jud es Booth Controller (JBC	3.1.3	Not	eta	roved
eScan Precinct Scanner	1.0.3	Not	eta	roved
Improvements
A security review has been performed by Symantec, and security updates have been
added. These security updates are pervasive and touch every component listed above. An
additional layer of security has been added, using a key that is generated by the
jurisdiction and stored in an Electronic Crypto Module (or eCM), which is a USB
security dongle. The security key in the eCM can be copied only by Hart's eCM Manager
program, because each eCM has a serial number. The eCM must be present for Tally,
BOSS, Rally, Ballot Now or Servo (warehouse software) to create or use a Mobile Ballot
Box (MBB)
The eScan precinct scanner has been added. See below for details.
Notes
• The overall system is refereed to as System 5.0, even though the version numbers of the
individual components do not contain 5.0.
• The previous version, System 4.0 was never certified in Texas.
• Hart is ISO 9000 certified, so their engineering processes are certified by an external
agency. This is a very positive factor.
DRE System: eSlate Precinct Voting System (PVS), eScan Precinct Scanner,
and Judges Boot Controller (JBC)
Election Setup	PCMCIA card (Mobile Ballot Box, or MBB) created with BOSS election
	setu sofwaze
Zero-total	On s thermal printer, which is found on both the Judge's Booth Controller
re ort	(JBC) and on the eScan.
Authorization	For the eSlate, afour-digit authorization code is issued to each voter on a tape
to vote /Ballot	printed at the election judge's controller.
selection	
Provisional	The system allows ballots to be designated as provisional, automatically
Ballots	assigns a recall number to each one, and prints it out. Each eSlate provisional
	ballot can later be included in the tally or can remain excluded. Recall
	numbers aze automatically assigned to provisional eSlate ballots and the recall
	numbers are printed, so transcription errors aze avoided; this is preferable to
	manually assigning them, as some systems require.
	With the eScan, provisional ballots must be handled with a manual
	envelo e s stem, where ballots aze not scanned until the are acce ted.
View /Vote	For the eSlate, LCD dis la /selection wheel and ke s
Vote Stora e	Flash memor called a Mobile Ballot Box, or MBB
Precinct	Not applicable when only eSlates aze used, because precinct results are all
Consolidation	accumulated together in the Judge's Booth Controller (JBC). If both eSlates
	and eScans are used in the same precinct, consolidation is done on one of the
	eScans, but only for the purpose of creating the precinct report. All the
	MBBs from both eSlates and eScans are carved to election central.
Transfer	Flash memory (MBB) used to send to Tally software. Protected by a hash on
Results	each vote record. The Electronic Crypto Module (or eCM, a USB dongle)
	must be present for Tally, BOSS, Rally, Ballot Now or Servo (warehouse
	softwaze to create or use a Mobile Ballot Box MBB .
Print precinct	On thermal printer. There is a thermal printer on the JBC and on the eScan. If
results	both are used in the recinct, the recinct re ort is rinted on the eScan.
Straight party /	Yes. A warning is given if a straight party vote cancels a crossover vote that
crossover	has already been selected. This prevents straight-party voting from having an
	effect the voter did not intend.
Precinct	The eScan precinct scanner integrates with the precinct system. Results from
Scanning	the JBC can be placed on an MBB and plugged into the eScan, which then
	roduces the recinct re ort with totals from both the DREs connected to the
JBC and the eSlate recinct scanner.
Tabulation and Transmission Software: Tally and Rally
Results Stora e	S base SQL An here
OS access	Not ermitted during tabulation. You can restart the system, but it is logged.
Real-Time	Yes.
Audit Lo	
Data Integrity	Sybase SQL Anywhere implements transaction protection (using a log file),
	so that either all the data in a transaction is osted, or none of it is.
Transmission	The Rally system can be placed in a regional center to collect results and
	forward them to the central counting location. No tabulation is done. It
	merely accepts precinct results and forwazds them. All transactions are
	to ed.
Ballot Printing Software & Ballot Scanning: Ballot Now & BOSS
Election Setu	PCMCIA card MBB) created with BOSS election setu software
Ballot	• BOSS can scan ballots, allow manual interpretation of any undervotes or
Scanning	overvotes, and create Cast Vote Records (CVRs) that can be input into
	Tally.
	• A number of scanners are certified for use with BOSS.
Notes	• Ballots are produced on demand
	• Each ballot has a serial number and a bar code, which prevents ballots from
	being counted twice by the Tally software.
	• Es eciall ood for absentee ballots
Concerns
Hart has a program called ResetPVS, which clears all the votes on a JBC, MBB and
eSlates. This utility is intended for use by Hart personnel only, and they say it is not
given to counties. Its purpose is to allow their employees to clear election data without
loading the particular version of their software that is being used by the county.
This is not acceptable. One person working alone could obtain a copy of this program
(for example by theft or bribery) and completely erase the data of entire polling locations
quickly and without leaving a trace. Obviously, no data is ever 100% secure, but election
systems should do everything possible to make it difficult to destroy or lose vote records.
Furthermore, since the tool already exists and there is no way to know how many
copies there are, existing Hart systems are at risk until the JBC software is updated to a
version that does not have this vulnerability.
Recommendation: Hart should be given a reasonable amount of time (I recommend
nine months) to Fix this problem and update all existing systems in Texas. At the end of
the time, all Hart systems that have this vulnerability should be decertified.
2. The eScan is extremely sensitive to stray marks. If the voter allows even a very small
par[ of a mark to stray into a neighboring box, an overvote can result. Fortunately,
overvotes are caught in time for the voter to correct them, because this is a precinct
scanner. If the voter can identify the stray mark, he can erase it. Otherwise, he must
spoil the ballot and vote again. Although this is not a fatal problem, there can be
significant inconvenience.
Recommendation: For now, we should simply be aware of this and see if it turns out to
be a problem in practice. I recommend that Hart tune the software so that the scanner
strikes a reasonable balance between ignoring marks that the user intended and recording
marks he did not intend. Another possibility is to address this with voter instructions.
3. If the same ballot is scanned by an eScan and by Ballot Now, it will be counted twice.
This is not a big enough problem to prevent certification, since many systems will count
ballots twice if they are scanned twice. However, since the Hart system normally refuses
to count the same ballot twice, election officials may become somewhat lax about
enforcing procedures to prevent this.
Recommendation: Hart should warn counties of the importance of keeping eScan
ballots separate from Ballot Now ballots, so they are not scanned twice.
P~ E OF
~~~ ~F DEPARTMENT OF INFORMATION RESOURCES
x ~ ~ P.O. Box 13564 • Austin, TX 78711-3564 • www.dirstate.tx.us
F
Tel: (512)475-4700 • Fax:(512)475-4759
July 12, 2005
LARRY A. OLSON
CM1iefTechnology Officer
State oJTexas
.- Ms. Ann McGeehan
DIR BOARD OE Deputy Assistant
DmECTOxs Office of the Secretary of State
_ 1019 Brazos Street
~ Austin, TX 78701
WILLIAM TRANSIER
c"nir RE: Examination of Hart Intercivic voting systems
LANCE K. BRUUN
Dear Ms. McGeehan:
LARRY R.
LEIBROCK, Ph.D.
M. ADAM
MAHMOOD, Ph.D.
KEITH MORROW
CLIEF MOUNTAIN
BILL WACHEL
ROBBRT L. COOK
Fx Officio
ADAM IONF.S
Ex Officio
BRAD LIVRVGSTON
Fx officio
I attended a scheduled re-examination on May 25, 2005, at 8:30 am, for the
purpose of examining the voting system from Hart Intercivic. This report
summarizes my findings.
Hardware/Software Version
Ballot Origination Software System v4.1
Ballot now: Paper Ballots v3.0.24
eSlate v3.1.0
Judges Booth Controller v3.1.0
Tally, version v4.1.0
Rally, version v2.1.0
eCM Manager v1.0.7
SERVO v3.0.17
eScan v1.0.0
Date Previously Certified
0 June 24,2004
June 24, 2004
June 24,2004
June 24, 2004
June 24, 2004
June 24,2004
N/A
N/A
N/A
Collectively all these components are referred to as System 5.
New Focus on Security
Hart commissioned a complete risk assessment by an industry leader in digital
security. From this assessment they developed a security plan and implemented
it, resulting in numerous changes to all system components. The changes also
meet new customer requirements and requests that were generated through
Hart's work with another state.
Hart's system is now compliant with BS7799, which implements ISO 17799 (see
http://iso-17799.safemode.org/ ). Hart is now audited quarterly to these
standards. ISO 17799 is a code of practice for information security management.
It contains 36 control objectives and suggests hundreds of specific controls,
organized into 10 main sections. Each control objective contains advice on how
to satisfy the objective, and includes.a number of best practices for information
security controls.
visit www.TexasOnline.com, the ~cial Web Site ofthe Stale of Texas
BS7799 is a specification for an Information Security Management System. The
specification provides a system for monitoring, measuring and controlling information
security as a whole. In effect it is a methodology for applying the controls contained in
ISO 17799.
The vendor also noted that the audit log gets quite large for some jurisdictions. Thus in
addition to the substantial changes to security methodology, they have provided a much
improved searching and navigation engine with which to review the log. It is suggested
that such facilities also be provided for the public to access and search the log.
eScan
The eScan is new to the Hart product line. It is a system hardware and software that
scans and creates a digital image of the entire ballot. The software looks for patterns
such as check boxes that it expects to find in specific locations on the ballot. It then
determines if the voter has made marks in any of the boxes.
This approach produces a somewhat more stable, robust process than previous optical
scan systems that scan only specific, limited areas of the ballot. In addition, the new
scanner is not as sensitive to the kind of paper or pens that are used, compared to
earlier technologies. The unit used for the demonstration was able to detect even tiny
marks made by various pens and pencils in the selection boxes.
Voters insert ballots into the scanner. The scanner evaluates the ballot and accepts it or
rejects it with instructions to the voter about the problems it encountered. However, the
system provides no way for the voter or election officials to resolve errors electronically.
The voter must change the ballot itself, or spoil the ballot and vote with a new one. The
machine records all valid ballots as Cast Vote Records (CVR) but not as images.
When the polls close, the eScan can read the MBB from any DREs at the polling place,
accumulate the totals of the DREs with the scanned paper ballots, and produce a
precinct report. Thus if necessary, a small jurisdiction can still use paper ballots along
with DREs, or use paper ballots in only part of the jurisdiction.
Note that the MBB is just used to collect CVRs and produce a precinct report. The report
is not stored on the scanner or MBB. After the polls close, no device makes changes to
the CVRs in the MBBs. The audit log in the scanner does record in the MBB the fact that
the close-polls report has been created.
The vendor noted that they plan to eliminate the need for the JBC to reduce the cost per
polling location. This may also increase the flexibility of their system, especially in cases
in which a voting device malfunctions during the day and needs to be replaced.
BOSS
The most significant changes to BOSS revolve around Security. The MBB is now
encrypted and uses SHA1 authentication. Boss now requires a hardware key to operate.
This key is inserted in a USB port, and is unique for each jurisdiction. Further, each user
must sign on using a user ID and password.
BOSS now provides enhanced support for separating party affiliation during primary
elections. This feature improves reporting rather than voting, however, as the voters will
see no changes to the way races are presented.
The vendor noted that the database is encrypted using the physical encryption key
described earlier. There is no way to access the data without the physical key. Each
major operation in the software requires user name and password. Such actions are
recorded in the log, but not the serial number of the physical key that is used. The key is
required only for Boss and Rally. More questions were asked of the vendor but were
deferred to an executive session in which proprietary issues could be discussed.
Ballot Now
Ballot Now (see http://www.hartintercivic.com/files/ballot now.pdf) prints ballots, scans
cast ballots to record votes, notes anomalies such as overvotes and presents them to
user for resolution. A few minor features were added to this product, as well as the
security enhancements added to other products.
eScan
The eScan device is an optical scanner for use as a precinct tabulator as well as an
early voting tabulator (see http://www.hartintercivic.com/files/eScan.odf). Users insert
ballots into the eScan, and the system checks the ballot for errors. Users are given a
chance to retrieve ballots to correct the errors before casting them.
There were some questions about the version of eScan that was demonstrated. At boot-
up, the version is displayed as 1.03 even though the version number given above for
certification is 1.0. The vendor said this is because of engineering changes that were
made at behest of ITA. The vendor said that there may be more changes, but likely
shipped version will be called 1.0.
The EScan generated some discussion about a small utility the vendor uses internally to
clears votes off of voting machines for testing and for demonstrations such as this
examination. The existence of this utility creates a small chance that an unauthorized
person with access to the program could cause a significant amount of mischief in a
local jurisdiction. One of the examiners made a convincing argument that such a utility
should at least require a password to use it.
Rally
Encrypted communication through Secure Socket Layer (SSL) has been added to
remote data communication through Rally.
Servo
Apparently there is noway to transfer data to SERVO from eSCAN yet.
Results of the examination
The voting test did not uncover any anomalies in counting votes and the user interface.
The vendor's new initiative focusing on security is timely and seems well designed.
However, there are some concerns about the new security devices and utility programs
that should be addressed as soon as possible.
DIR finds no objections to certifying the system itself as presented at this examination.
Respec/tf'ully,
•( / i~~~
G{l'/ Gr"
Nick Osborn
Systems Analyst
HART Intercivic
The Hart Intercivic voting system was re-examined in Austin on May 25, 2005.
The version number of the changed systems are as follows:
BOSS -version 4.1.4 -ballot design and generation sub-system
Ba]lotNow -version 3.1.0 -scanner used for deposition of mail-in ballots
eSlate -version 3.1.3 - DRE voting device
JBC -version 3.1.3 -Judges Booth Controller used with eSlate to select voters' ballot
Tally -version 4.1.1 -central-count accumulator and reporting sub-system
Rally -version 2.1.1 -regional or central MBB uploading (throughput enhancement)
SERVO -version 4.0.2 -used to extract audit data from eSlates and JBC's
eScan -version 1.0.3 -scanner to read paper ballots
eCM -version 1.0.7 -used to generate security keys
Collectively, the component piece make up Hart's System 5 voting system.
The entire system was reviewed since all components have been modified since the previous
examination. The eScan is a new addition to the system. It provides an optical scan ballot
alternative to the eSlate DRE for the majority of a preeinet's~oters. A jurisdiction using the Hart
system will still need an eSlate in each polling location to meet the HAVA requirements, but the
eScan is more economical and has the added benefit of the paper ballot which is the ultimate
audit trail.
Findings
VOTING
The system recorded and accumulated the examiners ballots cast on the eSlates and eScan
correctly.
eSCAN
The eScan device uses the same algorithms as the Ba1lotNow system to determine a voters
selection. The scanner first adjusts itself based on mazks printed on the ballot before it reads the
selections which will compensate for any printer skewing of the ballots. Ba1lotNow is sold in
conjunction with the eSlate so that it can be used to produce the blank ballot images used in the
eSlate.
There is no need fora "resolution" screen with the eScan since the voter inserts the ballot into the
device. The eScan can be programmed to return the ballot to the user when a race is overvoted or
undervoted.
The eScan creates a CVR (cast vote record) as well as accumulates totals. When the polls are
closed the CVR's, which are loaded onto the MBB (mobile ballot box), aze transfered to Tally.
The aforementioned accumulated totals are consolidated with the eSlates) totals to produce the
precinct totals report.
Tally will indicate how many votes were cast on the eScan versus the eSlate systems for a
precinct. If the jursidiction has only one voter use the eSlate in a precinct, the voters choices
remain private because Tally does not indicate voter choice by device (eSlate vs. eScan).
SECURITY
Unauthorized access to the sub-systems is tharted by use of a SHA-1 encryption key. The key is
loaded onto a USB key fob (dongle) which is required to gain access (along with passwords) to
the BOSS and Tally sub-systems. The keyfob can only be copied with Hart software because it
requires a secret PIN#. The other sub-systems (eSlate and eScan) do not require the fob, but the
key is still used to verify the validity of the election setup.
The SHA-1 encryption has recently been cracked by academians so it is not impossible to break.
Hart should upgrade to the newly developed SHA-256 specification.
The Sybase database used by BOSS and TALLY is encrypted. Access is generally done through
the Hart programs, but if the software key is known, a person could make changes to the
database with a SQL utility. Once the election setup has been finalize and "locked" by BOSS,
the CRC verification would detect that the database has been changed.
Access to the operating-system from TALLY was prevented so that unauthorized and unlogged
operations are prevented.
The vendor representative used a utility to zero-out the eScan votes. The utility is not sold but
rather used by Hart techincians as a "quick and dirty" way clear votes. This action was not
logged so the vendor must be diligent that it does not "get out". The utility requires a PC and
cable so it is not likely that a malicious voter or corrupt election worker would be able to clear
the votes without being noticed, even if they had the utility. The vendor stated that this utility can
only clear the votes, not alter the votes. The existence of this utility does raise concern about
what other utilities Hart possesses. Is there a utility that could be used to alter votes?
SERVO
One use of SERVO is to extract the CVR's and audit-logs from the eSlates and JBC's. This was
demonstrated by Hart. The printouts of the audit logs and CVR's were clear and sufficiently
detailed.
Recommendations
The MBB's do not include the eScan and eSlate serial numbers, and ballots cast on each device,
used in the precinct. The vendor should include this information in the audit-logs and on the
MBB's. This would facilitate finding the correct devices should an audit of a precinct be needed.
The eSlates numbers could be written to the MBB when the polls are opened. The eScan
numbers can be written when the polls are closed. If an eSlate is taken off-line during the
election day, that should be logged.
The key fobs have an internal serial number. The software should keep track of the serial
numbers (key fobs) used and produced by a jurisdiction.
Hart should disclose all utility programs that aze written for any of the sub-systems.
Because SERVO is required to extract the audit logs from the eSlates and JBC's it should be
bundled with any purchase of eSlates. Otherwise, a jurisdiction will not be able to audit the
precinct results without Hart's help.
Conclusion
The system meets the current requirements of the Texas Election Code. I recommend
certification.
Tom Watson
Examiner
Information Technology Division
P.O. Box 12887
Austin, Texas 78711-2887
TO: Ann McGeehan
Elections Division Director
FROM: Glenn Glover
Voting System Examiner
DATE: May 27, 2005
Phone: 512-463-5609
Fax: 512-463-5678
Dial 7-I-1 For Relay Services
wwwsosstate.tx.us
A voting systems certification examination was held at the Office of the Secretary of State
Elections Division on Wednesday, May 25, 2005.
Hart InterCivic submitted the following election products for certification:
Ballot Origination Softwaze System (BOSS)
Ballot Now: Paper Ballots
eSlate: Voting Device
JBC: Judge Booth Controller
Tally: Vote Tabulation System
Rally: Vote Transfers to Tally
eCM Manager
SERVO: Wazehouse Management System
eScan: Precinct based paper ballot scanner
Hart collectively refers to the above components as System 5.0.
v 4.1.0
v 3.0.24
v 3.1.0
v 3.1.0
v 4.1.0
v 2.1.0
v 1.0.7
v 3.0.17
v 1.0.0
Hart began the examination with the announcement that Hart Intercivics and their election voting
system products had attained BS7799 certification which they explained is the highest possible
standard of information security awazded by the British Standazds Institute.
All System 5.0 components have been previously reviewed by the examiners with the exception
of the eScan and eCM products. Hart introduced the eScan and explained its' role in the election
process. The eScan accepts paper ballots, immediately scans and either accepts or rejects the
ballot. If the ballot is rejected the device will present a message with an explanation as to why
the ballot was rejected (overvote, undervote, etc.). If the ballot is accepted, then the eScan will
count the vote and store it in the mobile ballot box (MBB) and create a "cast vote record" which
is a representation of how a particular ballot's races were voted. In practical terms, after marking
a ballot, a voter feeds the ballot directly into eScan at the precinct. Voters are immediately
notified if their ballot was accepted or rejected with messages displayed on the eScan screen. If
rejected, the ballot is kicked back to the voter. Absentee ballots can also be processed with the
eScan. Hart stated that the eScan does not use optical scan but uses digital scan technology.
They explained the differences between the two scanning methodologies and the superiority of
digital over optical scanning.
Hart presented to the examiners their new voting security infrastructure centered on the eSlate
Cryptographic Module (eCM). The eCM is a USB security key that is required for access to
secure functions in the BOSS, Tally, Rally, Ballot Now, and SERVO applications. eCM is setup
with the eCM Manager, a software application that reads and writes a "key ID" and a "signing
key" to an eCM. The eCM security data is used by the BOSS application to create the ballot
formats that must also be present in the eCMs used in the Tally, Rally, Ballot Now, and SERVO
applications. Several eCMs are created for an election with separate eCM used with each
computer Homing an eSlate Electronic Voting System software application (BOSS, Tally, Rally,
Ballot Now, and SERVO). Each copy of the eCM to be used must contain the same security
data. The security data consists of a Key ID and a HASH. The Key ID is auser-supplied
identification number for an eCM. The HASH is a SHA-1 hash value of the Key ID and Signing
Key. The signing key is true 128-bit random number used to cryptographically protect data.
The examiners proceeded with a test election using the System 5 components. After voting and
tabulating the results, I compared the actual ballots with the cast vote records captured in the
eSlate MBB's which were extracted using the SERVO software. The cast vote records for the
particular eSlate unit that I voted on corresponded to the ballot races I had voted.
After review of the documentation, examination and test voting with the System 5 components, I
find that Hart's System 5 components are in compliance with the Texas election codearid
recommend that the BOSS v 4.1.0, Ballot Now v 3.0.24, eSlate System v 3.1.0, JBC v 3.1.0,
Tally v 4.1.0, Rally v 2.1.0, eCM Manager v 1.0.7, SERVO v 3.0.17 and eScan v 1.0.0 be
certified for use in the State of Texas.

July 17, 2005
Ann McGeehan
Duector of Elections
Secretary of State
1019 Brazos Street
Austin, TX 78701
Deaz Ms. McGeehan,
Your letter dated July 14, 2005 contained two questions from the voting system examiners
concerning the use of a softwaze utility and the function of the security key. I have
provided responses to those questions below.
I . The utility in question is a development tool used by Hart InterCivic to reset our
hardware components. during our internal development and test efforts. The utility should
not have been present or used during certification and the concerns expressed by the
examiners aze justified. The function performed by this utility is provided to our
customers by SERVO, a submitted and certified product that supports the reset capability.
SERVO embodies Hart InterCivic's security policies requiring user name and password
along with the electronic key as demonstrated during the examination for the other PC-
based applications and described below.
2. The USB key is used to digitally sign data whenever the data is moved from one system.
component to another. This is done to ensure that when the data is outside the
authenticated environment of the system components, it cannot be changed or modified
without detection. When the data is within a system component, it is secured by the
system authentication requirements, the Principle of Least Privilege, Segregation of Duties,
and Role-Based Privileges. The USB key is not required to be inplace at all times, for
example when an operator is entering and editing the ballot definition in BOSS there is no
need for the application to access to the USB key. The USB key is required when the
ballot definition is complete and the ballot is generated to create the ballot data for the
MBB. When the ballot data file is created for the MBB, the USB key provides the two-
factor security. The USB key, which is under physical control by the election
administrator, is used to digitally sign the election data that is written to the MBB and used
by all subsequent system components. When the other system components read the MBB
data, they use the key to authenticate the data on the MBB. In a similaz fashion, when
other system components such as Ba1lotNow, eScan, or the JBC add Cast Vote Records to
the MBB, the Cast Vote Records are digitally signed so that the data cannot be altered or
modified without detection. When the MBBs aze read into the authenticated environment
Page 2 of 2
Ms. McGeehan
July 17, 2005
of the Tally system component, Tally authenticates the data on the MBB using the USB
key. Please refer to the Symantec white paper "Securing the eSlate Electronic Voting
System Application Security Implementation" (attached) for further details of the
comprehensive security surrounding the Hart Voting System.
Please let me know if these responses satisfy the examiner's questions or if additional
follow up is required.
Sincerely
r" ~,
~ ~ Y"a
Neil McClure
Vice President
Hart InterCivic, Inc
HART
interc,ii~ic'
Project Change Document
Change Number: 2
Date Change Initiated: 7/24/07
Submitted by: Ken Trethewey
Project Title: Kerr County, TX HVS Implementation
Contract Title: eSlate Warranty, Support and License Agreement
Contract Date: 9/1/2005
Description of Change: Kerr County has requested that their annual billing cycle for
their Hart Voting System be changed from Sept. 1 through Aug. 31 to Nov 1 through
Oct. 31. As part of this change, Kerr County will be billed an incremental annual fee
of $1556.88 for the 60 days from Sept 1, 2007 through Oct. 31, 2007.
Reference is changed to add the following sub-paragraph to paragraph 4 Annual
Fee:
14.5 Effective July 24, 2007, the Anniversary Date for Kerr County's Annual Fee
payment is changed to November 1st. By implementing this change, Kerr County's
new Annual Fee will be due before November 1st, 2007 and before this new
anniversary date thereafter.
Gost of Change: $1,556.88
Date Change Executed:
For County
Pat Tinley
For Hart InterCivic
~jU,~ J.[A1t04(QQijL
Eric Simonsen
xerr County Judge Manager of Account Services