rs

COMMONWEALTH OF 
DEPARTNIENT OF STATE

REPORT CONCERNING THE REEXAJVIINATION RESULTS OF
ELECTIONS SYSTEMS AND SOFTWARE EXPRESSVOTE XL

 

 

 

Issued By:

Wigwam

Kathy Boocl?'ar 
Acting Secretary of the Commonwealth
September 3, 2019

REEXAIVIINATION RESULTS OF ELECTION SYSTEMS AND SOFTWARE
EXPRESSVOTE XL

INTRODUCTION

Article XI-A of the Election Code, 25 RS. 3031.1 et seq. (the
?Code?), authorizes the use of electronic voting systems. Section 1 105-A of the Code, 25
PS. allows any ten or more quali?ed electors of to request a
reexamination of an electronic voting system certi?ed by the Secretary of the
Commonwealth (?Secretary?). On July 17, 2019, the Acting Secretary of the
Commonwealth (?Acting Secretary") received a Petition to Reexamine the ExpressVote XL
(the ?Petition?). A copy of that Petition is attached hereto as Appendix A.

The ExpressVote XL was initially examined and certi?ed as part of the EVS
6021 electrOnic voting system to both federal and state voting system standards by the
Election Assistance Commission on November 12, 2018 and by the Secretary of
the Commonwealth on November 30, 2018.

The Petition sets forth ten claims for why the Acting Secretary should de-certify the
ExpressVote XL (XL). After a thorough and considered review of the Petition, the Acting
Secretary has determined that claims three through seven, nine, and ten amount to purely
legal arguments which do not apply to reexamination or certi?cation of an electronic voting
system. With respect to claims one, two, and eight, the Acting Secretary, in consultation
with the Department of State?s expert voting system examiner, reexamined the XL and
concluded that the XL meets the requirements of Section of the 
Election Code, 25 PS. 3031.7, and can be safely used to conduct elections in the

Commonwealth.

To satisfy the Secretary?s statutory obligation to reexamine the XL 'system based on
claims one, two, and eight in the Petition, the Department of State
(?Department?) entered into an agreement with expert professional consultant SLI
Compliance to conduct a focused reexamination of the XL. Jesse Peterson, Security

Specialist, and Mike Santos, Senior Test Manager, served as the examiners (?Examiners?).

2

The off-site reexamination was conducted at the laboratory of SLI Compliance located in
Wheat Ridge, Colorado. The Department was represented by Sindhu Raniachandran,
Voting System Analyst, for the reexamination on August 7 and. 8, 2019. The Examiners
then provided ?ndings from the examination, and the test results and conclusion have been
included in further sections of this report.

11. THE EXPRESSVOTE XL VOTING SYSTEM
ExpressVote XL

ExpressVote XL is a polling place voting device that provides touch screen vote
capture which incorporates printing of a voter?s selections as a paper voter-veri?able record
and tabulation scanning into a single unit. The system uses a touch-operated screen and/or
assistive technology to capture a voter?s choices. The integrated thermal printer prints the
voter?s choices on a voter-veri?able paper vote summary record and the system scans and
saves an image of the printed vote summary record. The vote summary record is the voter-
veri?able paper record with plain text words of the votes to be cast, which, once cast, will

be retained as the official vote record and used for audits and/or recounts.

The software/?rmware version of ExpressVote XL certi?ed as part of the EVS 6021
system is 1.0.1.0 and the hardWare version is 1.0.

Test Materials

Test support materials utilized dming the examination included:

Two ExpressVote XL devices

- CFAST cards for both ExpressVote XL devices

I Thermal receipt paper for the Expressvote XL

- Activation card stock for processing vote summary records on the ExpressVote XL
I CFAST Cards

- USB thumb drives

.., Pens to modify marks

REEXAMINATION APPROACH

A. Approach Summary

The reexamination focused on the alleged violations of Sections and (12)
of the Election Code, 25 RS. 3031.7(1) relating to vote record
secrecy and security, set forth in items one, two, and eight of the petition The Examiner
evaluated the petition and relevant system documentation to develop test protocols for the
examination . All hardware necessary to perform the reexamination was supplied by 
So?ware and ?rmware for the EVS 6021 voting system was obtained from the Voting
System Test Lab that performed the EAC certi?cation test campaign. The

Examiner installed the ?rmware using the appropriate media and process for installation.

The test protocols separated the requirements for the reexamination into three main
areas of test execution: (1) Security Analysis and Evaluation; (2) Functional Testing; and (3)

Documentation Review.
1. Security Analysis and Evaluation

The EXaminers performed security analysis of the XL, with special consideration to
the items set forth in the Petition. The Examiners? security specialist reviewed the system to
evaluate the system?s security protocols. In order to gather details for the functional test
execution, SLI included a review of internal security, functional and architectural diagrams,
so?ware speci?cation, as well as ExpressVote XL hardware schematic documentation. The
analysis was done to reexamine the system architecture and operations and to plan a
comprehensive approach to analyze and evaluate each allegation. The Examiners also

utilized the vulnerability assessment performed during the initial examination of the EVS

6021 voting system. This evaluation was used during test planning to identify the speci?c

test cases to be executed during the functional testing and documentation review phases.
2. Functional Testing

The functional testing phase involved SLI personnel executing test cases identi?ed
during the security analysis and evaluation. This phase provided a means to assess the
security and functional properties of the voting system under examination to ascertain
whether they provide acceptable security procedures to prevent tampering with or.
substitution of vote summary records, as required by the Election Code at 25
303 1 12). The Examiner also used the functional testing to evaluate compliance of
the system to the ElectionCode requirement at 25 3031 to ascertain
whether the'system provides for processes and procedures to maintain the secrecy of a

voter?s ballot.
3. Documentation Review

The documentation review phase consisted of reviewing the EVS 6021 voting
system documentation to verify that apprOpriate processes and procedures are in place to
provide acceptable security and privacy as required by 25 3031.70) and 12).

Examination Results and Discussion
A. Examination Results and Discussion regarding Allega?on #1

The Petition?s allegation number one alleges that the XL violates Section 1 of
Election Code, 25 PS. 3031.702), which requires that a voting system
?provides acceptable ballot security procedures and impoundment of ballots to prevent
tampering with or substitution of any ballots or ballot cards,? because it does not provide
acceptable procedures to prevent tampering.

As detailed below, The Examiner evaluated these claims and determined through
security analysis and evaluation, functional testing, and documentation review that the XL

does not violate Section 1 of the Election Code because it has

protocols and mechanisms to provide for acceptable security procedures to prevent
tampering with or substitution of the vote summary records. The results of the Examiner?s
documentation review and testing are summarized in the following paragraphs of this

section.

1. Security Analysis and Evaluation

The security specialist reviewed the internal security, functional and architectural
diagrams, so?ware speci?cations, as well as the XL hardware schematic doCumentation.
The Examiners also utilized the vulnerability assessment performed during the initial
examination of the EVS 6021 voting system. The Examiners gathered information about the
system security protocolsin place to prevent undetectable malicious manipulation of the
XL, as well as information about the programmatic and physical access controls in place to
prevent tampering. The Examiners then used the information gathered during this evaluation
to identify speci?c test cases to be executed during the functional testing and documentation

review phases.

2. thctional Testing

The XL was set up following all the physical security measures described in the
relevant system documentationsThe Examiners reviewed and tested each of the physical-
security measures in place, which demonstrated that different system access pointsand the
CFAST cards could not be reached without proper keys and tools. The Examiners then
performed a hash code validation successfully, con?rming that the installed image matched
the certi?ed image.

The Examiners installed the trusted build and loaded a test general election on the
XL devices used for the testing effort. The security specialist tried to penetrate the system
using the system access points/ports and was unsuccessful. The Examiner also performed a
hash code validation on the XL after the tests to con?rm. that the trusted build ?rmware was
still present on the device. The Examiners con?rmed that any modifications to the ?les on
the CFAST cards would be identi?ed as a mismatch during hash code validation and hence

any unauthorized changes would be detected.

The Examiners demonstrated the XL voting process and reviewed the system
schematics and software actions. The voting process was demonstrated as follows: the
terminal is opened for voting and the voter inserts a blank activation card. The voter selects
the candidate choices and then selects the ?Print? button. The XL prints the voter?s choices
on a paper vote summary record using the thermal printer. The vote summary record is then
scanned and presented to the voter via the front facing voter veri?cation window. The voter
reviews and veri?es the vote summary record and selects the ?Cast? button. The system then
saves and tabulates the votes and deposits the printed vote summary record into the
collection bin without being re-scanned. During the examination of the system it was
observed that the location of the print head, a?er the initial print, allows the veto summary
record to pass to the collection bin without making contact with the print head again during
the vote summary record deposit process.

The Examiners also carefully evaluated the voting process to identify any distinct
cues during the printing process and observed that the printing process was audible and thus
detectable. Hence, a successful attempt to activate the printer to print on the vote summary

record after the voter veri?es his or her selections would be heard.

The Examiners also attempted to change the tabulation of the vote by modifying the
bar code on the paper vote summary record a?er veri?cation by the voter but were
unsuccessful. Attempts were also made to insert and tabulate modi?ed bar codes by the

system and those attempts too were unsuccessful.
3. Documentation Review

The Examiners conducted documentation review to determine if there are acceptable
security processes in place to prevent unauthorized access or tampering, and to determine if
there are mechanisms in place to identify if any unauthorized or malicious acts have taken
place. The system documentation cited multiple procedures in place to ensure that the
security of the XL is maintained,- including: warehouse security for

poll worker selection, poll worker training, physical

7

security of the polling place environment, physical security of the device (keys, security
screws, tape, other tamper resistant/evident items), security, bar code security,
programmatic security of the XL, as well as system auditing. The Examiner reported that the
system executables and bar codes have mechanisms in place to detect unauthorized
modi?cation. Con?guration of the paper vote summary record also allows the voter-
veri?abletext to be formatted with options to leave no blank lines between contest and
selections, which prevents malicious software from leaving out a voter?s selections and/or

?lling them in after a voter reviews their vote summary record.

B. Examination Results and Discussion regarding Allegatlon #2

The Petition?s allegation number two alleges that the XL violates Section llO7-A(l) of
the Election Code, 25 PS. which requires that a voting system
?provides for veting in absolute secrecy and prevents any person from seeing or knowing for
whom any voter, except one who has received or is receiving assistance as prescribed by law, has
voted or is voting,? because it stores the voter veri?ed paper records in chronological order.

As detailed below, the Examiners evaluated these claims and determined'through
security analysis and evaluation, functional testing, and documentation review that the XL
does not violate Section 1107-A(l) of the Election Code because, when used
in accordance with statutory and recommended procedures for maintaining proper chain of
custody and canvassing votes, it provides for voting in ?absolute secrecy,? with exception

fer voters who are receiving assistance.

1. Secun'tv Analysis and Evaluation

The security specialist reviewed the internal security, functional and architectural
diagrams, so?ware speci?cations, as well as the XLhardware schematic documentation.
The Examiners also utilized the vulnerability assessment performed during the initial
examination of the EVS 6021 voting system. The Examiners gathered information about the
system security protocols and procedures in place to prevent and detect unauthorized access
to the ballot bin and to maintain voter secrecy during the process of voting and after the

close of polls. The Examiners then used the information gathered during this evaluation to

identify speci?c test cases tobe executed during the functional testing and documentation

review phases.

2. Functional 

The Examiners completed vote sessions and demonstrated the actions at close of
polls by the poll worker. The Examiners concluded that in accordance with recommended
procedures, once an election has been closed, a poll worker will not be handling the paper
vote summary records which are sealed in the collection bins. The Examiners provided a
recommendation suggesting that processes to randomize vote summary records should be
performed at the county o?ice in accordance with the Election Code, which

will be a required condition for use of this system.
3. Documentation Review

The Examiners concluded that system documentation identi?es procedures
recommended by the vendor during implementation and Operation to prevent violation of
vote record secrecy, including: physical security to prevent and/or detect unauthorized
attempts to access the paper vote summary records, assigning voters in a relatively equal
distribution among multiple devices, as well as assigning multiple o?icials from different
parties to handle vote record collection bins. In addition, vote record secrecy is maintained
when statutory procedures for commingling ballots is conducted prior to canvass and

storage by the county board of electitms.
C. Examination Results and Discussion regarding Allegation #8

The Petition?s allegation number eight alleges that the XL violates Section 1 of
the Election Code, 25 PS. 3031.70), which requires that a voting system
?provides for voting in absolute secrecy and prevents any person from seeing or knowing for
whom any voter, except one who has received or is receiving assistance as prescribed by law, has
voted or is voting,? because it requires a voter to request assistance ?'om a poll worker during the
process of ?spoiling? the paper vote summary record when the voter made an error timing the

process of voting.

As detailed below, the Examiners evaluated these claims and determined through security
analysis and evaluation, functional testing, and documentation review that the XL does not
violate Section llO7-A(l) of the Election Code because, when used in the context
of proper statutory and recommended procedures for polling place setup and poll worker
training, it provides for voting in ?absolute secrecy,? with exception for voters who are receiving

assistance in the voting booth.

I. Securigl Analysis gd Evaluation

The security specialist reviewed the internal security, functional and architectural
diagrams, software speci?cations, as well as the XL hardware schematic documentation.
The Examiners also utilized the vulnerability assessment performed during the initial
examination of the EVS 6021 voting system. The Examiners gathered information about the
system security protocols and procedures in place to prevent unauthorized access to the
paper vote summary records and to preclude unauthorized access to the system
administration screen used during the process of assisting voters who need to spoil their
ballots before they are cast. The Examiners also evaluated what, if any, malicious activity
could be accomplished if an unauthorized person or persons learned the passcode used to
access the system administration screen. The Examiners then used the information gathered
during this evaluation to identify speci?c test cases to be executed timing the functional

testing and documentation review phases.

2. Functional Tesg'nu

To test this Petition item, the Examiners demonstrated the process of spoiling a vote
summary record and concluded that appropriate voter and poll Worker training and.
instructions on the screen can ensure vote record secrecy. This will also be made a condition
of this recerti?cation report. The allegation about the password compromise was also
reviewed and the Examiners determined that a compromise of all the characters of the
supervisor password would be very di?icult, and an audible chime sounds after three failed
attempts to enter the password. The Examiners noted that even if the password was known

to an unauthorized person, they would not be able to access any functions related to voting

10

or tabulation and any actions performed by the session user are recoverable. The Examiners.
also noted that the position of the poll worker during the process doesn?t lend itself to easily
vievving the voter?s choices, and also pointed out that since the voter has decided to spoil the
vote summary record it is not his/her ?nal intended vote selection.

3. Documentation Review

The Examiners concluded that the system documentation identi?es multiple
procedures to pretect voter privacy and prevent the compromise of the supervisor password.
Please referto Section V, Additional Conditions for Certi?cation, for details regarding the
required procedures.

V. Additional Conditions for Certi?cation

Given the results of the reexamination that occurred in August 2019, and the ?ndings
and recommendations of the Examiners, the Acting Secretary of the Commonwealth

maintains the certi?cation of the XL subject to the following additional conditions:

A. Jurisdictions selecting the XL must implement proper poll closing and vote record
transportation procedures to ensure that collection bins containing paper vote summary records
are sealed and tranSported with proper chain of custody to the county of?ce. Poll worker training
must include the details of the procedures to ensure that collection bins remain sealed until
delivered to the county of?ce. Collection bins must be opened in the presence of board of
election members and must be commingled before canvass and storage, in a manner consistent
with the procedure outlined for the canvassing of absentee ballots under Section 1308(6) of the
Election Code, 25 PS. 

B. Jurisdictions implementing the XL must ensure that vote summary record
instructions include speci?c voter and poll worker insnuctions added on the screen detailing

spoiling procedures and cues to protect voter privacy. In addition, poll worker training must:

0 Emphasize the need to obscure any View of the paper vote summary record during

the process of spoiling the record;

11

0 Educate poll workers on the proper steps to be taken when they respond to a voter
request for spoiling the vote summary record to ensure that the secrecy of the
spoiled record is maintained. These steps include ensuring that the voter intends 
to spoil the record, has read the instructions on the screen and has been informed
by the poll'woricer how to prevent inadvertent view of the vote summary record
before the poll worker enters inside the privacy curtain;

VI. Conclusion

As a'result of the reexamination, and after consultation with the Department?s staff,
counsel and the Examiners, the Acting secretary of the Commonwealth concludes that the
ExpressVote XL certi?ed as part of the EVS 6021 voting system can be safely used by

voters at elections, as provided in the Election Code, and meets all of the

requirements set forth In the Election Cede 

 

. - - . . . . Accordingly,
the Acting Secretary maintains the certi?cation of EVS 6021 - ExpressVote XL for use in

 

this Commonwealth.

12

Appendix A

 Natio-?al Citizens for
51553533 Better
Coalition Elections

July 16, 2019

Honorable Kathy Boockvar

Acting Secretary of the Commonwealth
Department of State

Bureau of Commissions, Elections and Legislation
302 North Office Building, 401 North Street
Harrisburg, PA 17120

Dear Secretary Boockvar,

Pursuant to 25 PS. 3031.5, on behalf of the undersigned electors of the Commonwealth of
we hereby request a re-examination of the ExpressVote XL electronic
voting machine. We enclose at least ten (10) certi?cations of duly registered electors in the
Commonwealth of who seek this re-examination. We have enclosed a check for
$450 payable to the Treasurer of the Commonwealth of 

As you know, ?[t]he Secretary?s duty to re-examine the machines upon proper request is
mandatory.? Ban?ela' v. Aichele, 51 A.3d 300, 314 (Commw. Ct. Penn. 2012), aff?d sub nom.
Ban?eld v. Cortes, 110 A.3d 155 (2015).

We have attached a list of de?ciencies in the ExpressVote XL which require attention during re-
examination. We also note that the ExpressVote 11W 2.1 used as a tabulator shares many
of the same de?ciencies as the ExpressVote XL.

We respectfully request that the Secretary of the Commonwealth re-examine the ExpressVote XL
electronic voting machine and issue a report relating to the functionality of the system. We
request that this re-examination be conducted expeditiously because several counties in the
Commonwealth have chosen or are considering the ExpressVote XL, and all counties must act
quickly to comply with the Department of State directive to select new voter-veri?able paper
record voting systems no later than December 31, 2019.

If the Secretary of the Commonwealth determines that the attached de?ciencies are compelling
evidence to preemptively decertify the ExpressVote XL, we would withdraw our petition for re-
examination.

Respectfully submitted,

Ronald A. Fein, Legal Director
John C. Bonifaz, President

Free Speech For People

1320 Centre St. #405

Newton, MA 02459

(617) 244-0234
rfein@freespeechforpeople.org


Susan Greenhalgh
Vice President of Policy and Program
National Election Defense Coalition

Kevin Skoglund

Chief Technologist

Citizens for Better Elections,

A member of the Protect Our Vote Philly Coalition

Petition Pages

200 signatures by duly registered electors
in the Commonwealth of 

From the counties:

Philadelphia
Allegheny
Montgomery
Bucks
Delaware
Westmoreland
Northampton

Attachment: ExpressVote XL De?ciencies
We seek re-examination of the ExpressVote XL voting machine on these grounds.
1. Tampering with Ballot Cards

The ExpressVote XL violates 1107-A, 25 PS. 3031.7 (12), which requires that a
voting system:

?Provides acceptable ballot security procedures and impoundment of
ballots to prevent tampering with or substitution of any ballots or ballot
cards.?

Since the Certi?cation of EVS 6.0.2.1, security researchers
discovered1 that the ExpressVote XL exposes a ballot card cast by a voter to an internal
printer prior to tabulation and impoundment. The internal printer is controlled exclusively
by software which has the ability to tamper with the content of the ballot card. A
malfunctioning or manipulated ExpressVote XL could add, modify, or invalidate votes
after the voter has viewed, con?rmed, and cast her ballot. It could change election
outcomes without detection. This is a very high impact defect which affects the integrity
and auditability of the voting system.

This defect violates the principle of software independence: voting system is
software-independent if an undetected change or error in its software cannot cause an
undetectable change or error in an election outcome.?2 Software independence will be
WSG 2.0 Guideline 9.1 and is recognized as necessary for effective auditing. It is a
?crucial? requirement for evidence-based elections as de?ned by Professors Philip Stark
and David Wagner: ?All three components are crucial. The risk-limiting audit relies on
the integrity of the audit trail, which was created by the software-independent voting
system (the voters themselves, in the case of paper ballots) and checked for integrity by

 

1 References available at:

0/ 1 
8/ 



2 ?On the Notion of Software-Independence in Voting Systems,? Ronald Rivest and John Wack,

Philosophical Transactions of The Royal Society, August 6, 2008, Page 1, available at 


Page 1 of 12

the compliance audit.?3 Acceptable ballot security procedures to prevent tampering must
include ensuring auditability and enabling evidence-based elections.

It is common sense that a voting machine should not have the ability to change votes after
the voter has con?rmed and cast her ballot. The same reasoning is evident and explicitly
stated in 1222, 25 PS. 3062 ?No person while handling the ballots shall have in
his hand any pencil, pen, stamp or other means of marking or spoiling any ballot.?
Acceptable ballot security procedures to prevent tampering must include a similar
restriction on any machine while handling the ballots.

2. Chronological Ballot Storage

The ExpressVote XL violates 1107-A, 25 PS. 3031.7 1), which requires that a voting
system:

?Provides for voting in absolute secrecy and prevents any person from
seeing or knowing for whom any voter, except one who has received or is
receiving assistance as prescribed by law, has voted or is voting.?

The ExpressVote XL ballot container stores ballot cards in chronological order. It allows
any poll worker or election of?cial who knows even limited details about the sequence of
voters to violate the absolute secrecy of one or more voters. A voter?s ballot could be
determined by referencing the order of voters in the poll book or on the poll list, by
counting from the ?rst or last ballot in the set, or by counting ?om another identi?able
ballot, such as one with a known write-in vote. This is a signi?cant defect.
Chronologically ordered ballots fail to protect voters? right to a secret ballot and enable
information harvesting, vote buying and selling, and voter coercion.

The Department of State has long held the position that voting systems with
chronologically ordered ballots violate absolute secrecy. Dr. Michael Shamos, statutory
examiner for the Secretary of the Commonwealth from 1980 to 2010, testi?ed to a US.
Senate committee in 2007, ?Even paper trail advocates recognize that scrolled paper trails
make it easy, not just possible, to determine how every voter in a precinct voted. The ?rst
voter?s ballot is ?rst on the tape; the last voter?s is last; and everyone else?s is sequential
order in between. A simple comparison between the paper trail and the poll list gives
away everyone?s vote, in violation of the Section 201 requirement of a secret ballot. Even

 

3 ?Evidence-Based Elections,? Philip Stark and David Wagner, Security and Privacy, May 8, 2012,
Page 2, available at 

Page 2 of 12

if only two percent of the vote is audited, it means that two percent of the voters are at
risk of having their votes revealed.?4

The ?Conditions Of Certi?cation? for EVS 6.0.2.1 do not require any procedures to
randomize the order of ballot cards or to otherwise protect ballot secrecy. Even if
procedures had been required, the voting system cannot depend on procedures?which
may not be consistently or correctly employed?to restore ballot secrecy. The voting
system itself must provide it.

3. Ballot Cards Colored by Party
The ExpressVote XL violates 1109-A, 25 RS. 3031.9 

?In primary elections, the Secretary of the Commonwealth shall choose a
color for each party eligible to have candidates on the ballot and a separate
color for independent voters. The ballot cards or paper ballots and ballot
pages shall be printed on card or paper stock of the color of the party of the
voter and the appropriate party affiliation or independent status shall be
printed on the ballot card or at the top of the paper ballot and on the ballot

pages.?

The ballot cards used by the ExpressVote XL are made of solid white thermal paper. The
card stock is not colored for each party. The ballot cards are blank and do not have the
apprOpriate party af?liation or independent status printed on the ballot card.

In primary elections, the party af?liation of a voter is determined de?nitively when the
voter checks in, signs the poll book, and is given a ballot card. Before the voter may vote,
a poll worker must con?gure the ExpressVote XL to display the ballot style of the voter?s
party. If ballot cards are not on colored card stock with the party af?liation, the voter can
tell the poll worker a different party affiliation, cast fraudulent votes in another party?s
election, and the impounded ballot card would show no evidence of the fraud. Colored
card stock with the party af?liation printed also reduces the chance that a poll worker will
set the wrong ballot style for a voter by accident.

It should be demonstrated that the required ballot cards are possible and that the
ExpressVote XL is capable of using them.

 

4 Testimony before the US. Senate Committee on Rules and Administration, July 25, 2007,


Page 3 of 12

4. Serially Numbered Perforated Stubs
The ExpressVote XL violates 1109-A, 25 PS. 3031.9 (0:

. .Each ballot card shall have an attached serially numbered perforated
stub, which shall be removed by an election of?cer before the ballot card is
deposited in the district automatic tabulating equipment or in a secure ballot
box. The name of the county, and a facsimile of the signature of the
members of the County board shall be printed on the ballot card stub.?

The ExpressVote XL violates 1112-A, 25 PS. 3031.12 which requires a
procedure for a district using paper ballots or ballot cards:

?Following the completion of his vote, the voter shall leave the voting
booth and return the ballot to the election of?cer by a means designed to
insure its secrecy; upon removal of the stub of the ballot by the election
of?cer, the voter shall insert the ballot into the district automatic tabulating
equipment or, in the event district tabulation is not provided for by the
voting system or such district tabulation equipment is inoperative for any
reason, into a secure ballot box. No ballot card from which the stub has
been detached shall be accepted by the election of?cer in charge of such
equipment or ballot box, but it shall be marked ?spoiled? and shall be
placed in the envelope marked ?Spoiled Ballots?.?

In addition, 1113-A, 25 PS. 3031.13 requires that, after the polls have been
closed, the serially numbered stubs be used as evidence of the number of ballots issued to
electors so that number may be announced in the polling place and recorded.

The ballot cards used by the ExpressVote XL do not have attached serially numbered
perforated stubs. The ballot cards are blank and do not have a facsimile of the signature
of the members of the county board printed on the ballot card stub.

The ExpressVote XL is designed such that a voter does not handle the ballot after the
completion of her vote. The voter cannot leave the voting booth with the ballot card to
return it to an election officer. The election officer does not have an opportunity to
remove the stub. The election of?cer is not able to verify that the stub has not been
detached from the ballot card in order to mark it as spoiled.

Page 4 of 12

Without serially numbered stubs and signatures, any person could forge ballot cards.
Forged ballot cards can be submitted for tabulation secretly and independently because,
unlike most district tabulating equipment, the ExpressVote XL tabulator is inside a
privacy curtain, where election workers cannot observe voter activity.

Serially numbered stubs prevent ?chain voting.? Professor Doug Jones describes the
fraud technique and the defense against it: ?The organizer of the chain needs one valid
ballot to begin with. He then marks this ballot and gives it to a voter willing to participate
in the fraud. With each participant, the organizer instructs the participant to vote the pre-
voted ballot and bring back a blank ballot from the polling place. Voters are paid for the
blank ballot. The best defense against chain voting involves printing a unique serial
number on a removable stub on each ballot. When ballots are issued to voters, the stub
numbers should be recorded. No ballot should be accepted for deposit in the ballot box
unless its stub number matches a recently issued number. Finally, to preserve the voter?s
right to a secret ballot, the stub should be torn from the ballot before it is inserted in the
ballotbox.?S

It should be demonstrated that the required ballot cards are possible and that the
ExpressVote XL is capable of using them.6

5. Valid Marks on a Ballot Card

The ExpressVote XL violates 1112-A, 25 PS. 3031.12 which applies to
districts using paper ballots or ballot cards.

The three procedures in 3031.12 each specify that a voter shall vote on a ballot
card by ?making a cross (X) or check (J) mark or by making a punch or mark sense
mark in the square opposite the name? of the candidate, the party, the write-in position, or
the answer to a ballot question. The type of mark and its position relative to the name is
Speci?ed six times in total.

The ExpressVote XL does not make a cross or check mark or make a punch or mark
sense mark, nor does it permit a voter to do so. On an ExpressVote ballot card there is no

 

5 ?On Optical Mark-Sense Scanning,? Douglas W. Jones, in Towards Trustworthy Elections, 2010, Page
178, available at 

5 Upon information and belief, the ExpressVote XL could be made to use compliant ballot cards, as 

apparently offered serially numbered cards in Michigan. However, the machines certi?ed and used in
do not use compliant ballot cards.

Page 5 of 12

square opposite the name in which to place any mark. Instead a barcode is printed near
the top of the ballot card, separate and far from the name. The barcodes are not even
listed in the same order as the names are listed.

The type of mark and its position relative to the name is an important requirement. A
valid mark next to a corresponding name allows the voter to verify that each vote
matches her intent prior to casting the ballot card, ensuring the principle of ?cast as
intended.? A valid mark next to a corresponding name allows election of?cials or any
person to easily observe, count, and audit the vote, without software or special
equipment. The Election Code intends for the meaning of each vote to be transparent and
software independent.

6. Indicated Voting Positions on Ballot Cards
The ExpressVote XL violates 1109-A, 25 PS. 3031.9 

?The pages placed on the voting device shall be of suf?cient number to
include, following the listing of particular candidates, the names of
candidates for any nonpartisan offices and any measures for which a voter
may be quali?ed to vote on a given election day, provided further that for
municipal, general or special elections, the ?rst ballot page shall list in the
order that such political parties are entitled to priority on the ballot, the
names of such political parties with designating arrows so as to indicate the
voting square or position on the ballot card where the voter may insert
by one mark or punch the straight party ticket of his choice.? (Emphasis
added).

The ExpressVote XL violates 1109-A, 25 PS. 3031.9 

?In partisan elections the ballot cards shall include a voting square or
position whereby the voter may by one punch or mark record a straight
party ticket vote for all the candidates of one party or may vote a split ticket
for the candidates of his choice.? (Emphasis added).

The ExpressVote XL lists political parties on the If a voter makes a straight

party choice, the ExpressVote XL will later record the selection by printing a barcode and
human-readable text on the ballot card. This process does not meet the requirements.

Page 6 of 12

An electronic voting machine is required to list the political parties with arrows to
indicate positions on the ballot card. The ExpressVote XL does not indicate voting
positions on the ballot card, nor does it use any ?designating arrows.? In fact, there are no
?xed positions on the ballot card?the location of the barcode and human-readable text
will vary depending on the voter?s other selections.

7. Unlawful Assistance in Voting
The ExpressVote XL would require voters to violate 1218, 25 PS. 3058 

?No voter shall be permitted to receive any assistance in voting at any
primary or election, unless there is recorded upon his registration card his
declaration, that, by reason of blindness, disability, or inability to read or
write, he is unable to read the names on the ballot or on the voting machine
labels, or that he has a physical disability which renders him unable to see
or mark the ballot or operate the voting machine, or to enter the voting
compartment or voting machine booth without assistance, the exact nature
of such condition being recorded on such registration card, and unless the
election officers are satis?ed that he still suffers from the same condition.?

The ExpressVote XL would require election of?cers to violate 25 PS. 
303 1.1 

?At the polling place on the day of the election, each voter who desires
shall be instructed, by means of appropriate diagrams and a model, in the
operation of the voting device before he enters the voting booth. If any
voter shall ask for ?irther instructions concerning the manner of voting
after entering the voting booth, any election of?cer may give him audible
instructions without entering such booth, but no such election officer
shall when giving such instructions in any manner request, suggest or seek
to persuade or induce any such voter to vote any particular ticket or for any
particular candidate or other person or for or against any particular
question.? (Emphasis added).

The ExpressVote XL would require voters and election of?cers to violate 1220, 25 PS.
3060 

Page 7 of 12

 .. No elector shall be allowed to occupy a voting compartment or voting
machine booth already occupied by another, except when giving assistance
as permitted by this act.?

When any voter using the ExpressVote XL wants to spoil her ballot card or wants to
handle the ballot card for physical review, they must select an option in the interface to
?Quit.? The ExpressVote XL displays on screen (and reads into the audio ballot) the
message: ?Vote Session Canceled. Your ballot was canceled with no votes cast. Ask an
election of?cial for help.? The ExpressVote XL emits a chiming sound to alert a poll
worker. A poll worker must enter the voting booth, touch a designated location on the
screen, enter an administrator password using an on-screen keypad, and retrieve the ballot
card from the windowed container where it is held.

All voters have the right to spoil their ballot card. 1112-A, 25 PS. 3031.12 
?Any voter who spoils his ballot may return it and secure another.?) A voting system is
required to allow voters to spoil their ballot card. 1107-A, 25 PS. 3031.7 (10): ?If it
is of a type that uses paper ballots or ballot cards to register the vote and automatic
tabulating equipment to compute such votes, the system shall provide that a voter who
spoils his ballot may obtain another ballot?.) The ExpressVote XL does not allow a voter
to spoil her ballot card without a poll worker entering the booth in violation of the above
requirements.

Voters with disabilities may wish to handle the ballot card to verify it using a magni?er or
other personal assistive device. This is only possible with poll worker assistance and is
only permitted if the voter has previously recorded their disability on their voter
registration. Voters who have recorded a disability may ?select a person? to enter the
voting booth 1218, 25 PS. 3058 This person could be a poll worker, but if
another person has already been selected to assist, a poll worker entering the booth would
violate the above requirements.

This de?ciency has consequences for both the voter and the poll worker. 1830, 25 PS. 
3530 (?Unlaw?il assistance in voting?) speci?es that any voter ?who, without having
made the declaration under oath or af?rmation required by section 1218 of this act
shall permit another to accompany him into the voting compartment or voting machine
booth? or ?any person who shall go into the voting compartment or voting machine booth
with another while voting or be present therein while another is voting? is guilty of a
misdemeanor and will be sentenced to pay a ?ne, imprisonment, or both.

Page 8 of 12

8. Poll Workers in the Booth and Ballot Secrecy

The ExpressVote XL violates 1107-A, 25 PS. 3031.7 (1), which requires that a voting
system:

?Provides for voting in absolute secrecy and prevents any person from
seeing or knowing for whom any voter, except one who has received or is
receiving assistance as prescribed by law, has voted or is voting.?

The ExpressVote XL violates the Help America Vote Act of 2002 (HAVA), 301(a)(1)(A)
which requires that a voting system shall:

?provide the voter with the opportunity (in a private and independent
manner) to change the ballot or correct any error before the ballot is cast
and counted (including the opportunity to correct the error through the
issuance of a replacement ballot if the voter was otherwise unable to change
the ballot or correct any error)?

The previously described procedure for spoiling a ballot card on the ExpressVote XL
allows the poll worker, upon entering the voting booth, to view the selections on the
ballot card through the windowed container and while handling the ballot card. The poll
worker will look directly at the ballot card while extracting it from the container. The poll
worker can see and know for whom the voter has voted or is voting. The ExpressVote XL
does not allow any voter to privately and independently correct an error through the
issuance of a replacement ballot.

It is also noteworthy that this procedure reveals an administrator password to the voter.
The poll worker enters the password in front of the voter using an on-scrcen keypad and
each character is displayedin the input ?eld as it is typed. During public demonstrations
of the ExpressVote XL, several members of the public reported easily observing the
administrator password used.

9. Accessibility

The ExpressVote XL violates 1107-A, 25 PS. which requires that a voting
system:

?Permits each voter to vote for any person and any of?ce for whom and for
which he is lawfully entitled to vote, whether or not the name of such

Page 9 of 12

person appears upon the ballot as a candidate for nomination or
election.? (Emphasis added).

The ExpressVote XL violates 1107-A, 25 PS. which requires that a voting
system:

?Permits each voter. . .to vote a straight political party ticket. . .by one mark
or act, to vote for all the candidates of one political party for every of?ce to
be voted for, and every such mark or act shall be equivalent to and shall be
counted as a vote for every candidate of the political party so marked
including its candidates for presidential electors, except with respect to
those of?ces as to which the voter has registered a vote for individual
candidates of the same or another political party or political body, in which
case the automatic tabulating equipment shall credit the vote for that office
only for the candidate individually so selected, notwithstanding the fact that
the voter may not have individually voted for the full number of candidates
for that of?ce for which he was entitled to vote.? (Emphasis added).

The ExpressVote XL violates the Help America Vote Act of 2002 (HAVA), 301(a),
which requires that a voting system shall:

1.A.i: ?permit the voter to verify (in a private and independent manner) the
votes selected by the voter on the ballot before the ballot is cast and
counted.?

1.A.ii: ?provide the voter with the opportunity (in a private and independent
manner) to change the ballot or correct any error before the ballot is cast
and counted (including the opportunity to correct the error through the
issuance of a replacement ballot if the voter was otherwise unable to change
the ballot or correct any error)?

3.A: ?be accessible for individuals with disabilities, including nonvisual
accessibility for the blind and visually impaired, in a manner that provides
the same opportunity for access and participation (including privacy and
independence) as for other voters.?

To the extent that any HAVA Section 261 funds are involved, use of the ExpressVote XL
also violates HAVA 26] 

Page 10 of 12

An eligible State and eligible unit of local government shall use the
payment received under this part for? (1) making polling places . . .
accessible to individuals with disabilities, including the blind and visually
impaired, in a manner that provides the same opportunity for access and
participation (including privacy and independence) as for other voters.

The Certi?cation of EVS 6.0.2.1 included an accessibility testing
report on pages 68-94. The ExpressVote XL was reviewed by the accessibility
test group.

?Every participant had at least one problem, despite relatively high election knowledge
and digital experience, suggesting that the issue would be more severe for voters without
these personal resources to help them understand what is happening.? (Page 70)

?None of the participants could verify the ballot in the glass cage:

0 Blind voters had no access to the ballot to use personal technology

0 Low vision voters could not position the ballot so they could read the small text

- Other voters had problems reading the ballot because of glare and because the sides of
the ballot were obscured by the cage.

Although it is possible to have the ballot ejected to handle it while verifying, the
procedure is unclear and it requires voters to tell the system they want to ?Quit? and call
a poll worker.? (Page 74)

Participants in the accessibility study found the ExpressVote XL made it dif?cult to cast
write-in votes. For a vote for a write-in candidate to count, spelling must be perfect and
?[a]ll of the participants knew that a misspelled write-in would not be counted, but could
not figure out how to review what was typed.? (Pages 70-71, 86-87). Furthermore, the
ExpressVote XL did not allow participants to review any write-in votes through the audio
ballot because the text of the write-in is not encoded in the barcodes printed on the ballot
card. (Pages 73, 75, 88).

Voters relying on the audio ballot had significant issues with voting a ?straight-
party? ticket. If a voter selects a single candidate outside the straight-party ticket,
the ExpressVote XL deselects all other candidates, without informing the audio-
guided voter. The accessibility testing report describes this problem as ?not only a
failure to vote independently, but identifying and solving the problem requires
revealing their votes to a poll worker or assistant.? (Pages 68-69). The audio ballot
also ?does not announce the party of each candidate. This made it impossible to

Page 11 of12

complete tasks based on party, including confirming straight party
selections.? (Pages 83, 86).

The Department of State?s accessibility testing report makes it clear that the
ExpressVote XL is not accessible for individuals with disabilities ?in a manner that
provides the same opportunity for access and participation (including privacy and
independence) as for other voters.? Most importantly for these voters, it does not ?permit
the voter to verify (in a private and independent manner) the votes selected bythe voter
on the ballot before the'ballot is cast and counted.?

10. The Stein Settlement

The ExpressVote XL violates the settlement in Stein v. Cortesz7

The Secretary will only certify new voting systems for use in
if they meet these criteria:

a. The ballot on which each vote is recorded is paper;

b. They produce a voter-veri?able record of each vote; and

c. They are capable of supporting a robust pre-certi?cation auditing

process.

3. The Secretary will continue to direct each county in to
implement these voting systems by the 2020 primaries, so that every
voter in 2020 uses a voter-veri?able paper ballot.?

The ExpressVote XL does not provide the voter a paper ballot, as that term is de?ned by
25 PS. 3031.1. Instead, it provides a ?ballot card.? A paper ballot is a piece of paper
with the options pre-printed, whereas a ballot card only prints a voter?s selection on blank
piece of paper. See id. (de?ning paper ballot as ?a printed paper ballot which conforms in
layout and format to the voting device in use? and ballot card as ?a card which is
compatible with automatic tabulating equipment and on which votes may be registered?).

Because the ExpressVote XL does not provide a paper ballot, voters in
counties using the ExpressVote XL will not receive a voter-veri?able paper ballot in
2020, in contravention of the Stein settlement?s requirement that the Secretary ?direct
each county in to implement these voting systems by the 2020 primaries, so
that every voter in 2020 uses a voter-veri?able paper ballot.?

 

7 Stein v. Cortes, N0. 16-cv-06287, ECF No. 108 (ED. Pa. Nov. 28, 2018), available at 


Page 12 of12