Voting System Examination

Dominion Voting Systems

Democracy Suite 5.5-A

Prepared for the

Secretary of State of Texas

James Sneeringer, Ph.D.

Designee of the Attorney General

This report conveys the findings of the Attorney General's designee from an examination of the
equipment listed below.

Examination Date October 2-3, 2019

Report Date November 3, 2019

Components Examined
EAC/NASED Qualification
Version Number Date
EMS - Election Management System 5.5.12.1 DVS-DemSuite5.5-A 1/30/2019
ADJ - Adjudication 5.5.8.1 DVS-DemSuite5.5-A 1/30/2019
ICC - ImageCast Central 5.5.3.0002 DVS-DemSuite5.5-A 1/30/2019
ICP - ImageCast Precinct 5.5.3.0002 DVS-DemSuite5.5-A 1/30/2019
ICX - ImageCast X BMD 5.5.10.30 DVS-DemSuite5.5-A 1/30/2019

The Democracy Suite 5.5-A (or D-Suite 5.5-A) is a modern voting system that is new to Texas,
although D-Suite is in use in other states. A distinguishing feature is the extensive use of
commercial off-the-shelf components, or COTS components, to use the industry parlance. COTS
components are standard hardware or software products, as opposed to custom-made
components.

For example, the D-Suite voting terminals are commercially available Android tablets that
include the stand and the smart-card reader used for voter authentication. Similarly, the PCs,
networking gear, hard drives, printers, and some scanners are COTS components.

D-Suite Components
ImageCast X (or ICX) is the name of the line of voting stations, which all share identical
software. The X in the name highlights the interchangeability of the software and, in one case,
even the tablet hardware.

For this examination, Dominion is only seeking certification of one member of the ICX line – the
ImageCast X BMD. (BMD stands for ballot-marking device.) When a voter is finished making his
or her selections, the BMD prints the ballot on the attached printer but does not save the voter’s
choices on the device. Since these devices do not tabulate at all, they do not need zero-tapes,
precinct tallies, or the like. The printed ballot must then be scanned before it is counted. Each
ballot contains the cast-vote record in two formats: a QR code (for use by the scanner) and a

Page 1
printed, human-readable list (which can be visually verified by the voter). If there should be a
question about whether the two match, it can be easily verified by scanning the QR code on the
ballot and visually checking that it corresponds to the printed votes.

The voting stations are COTS Android tablets; they must be placed in kiosk mode, which
prevents access to the Android features during voting.

Election setup, tabulation, and other related tasks are done with mostly COTS components and
the proprietary EMS software. Most of the components are on a LAN (local area network), and
no other devices are to be connected to that LAN.

All election data and results are stored on self-encrypting hard drives and are also encrypted by
the database software, Microsoft SQL Server. The hard drives are redundant (RAID 10),
meaning that each piece of data is stored on two separate hard drives, so nothing is lost even if
one hard drive fails. There are two configurations, one that allows multiple client computers
connected to a single server computer, and one where everything is on the same computer. We
tested only the former, so the single-computer setup is not being certified. These computers run
a hardened Windows operating system.

Voting
Election Setup. Election setup (such as entering races and assigning candidates to them) is
done using a GUI (graphical user-interface) that is part of the Election Management System.

Authentication for election setup and central-count administration. D-Suite uses two-
factor authentication for administration. Access is granted only after both entering the correct
PIN and presenting a token, which will be either an iButton (see photos)
or a smart card, depending on the device. According to the vendor, an
iButton is more durable than a smart card, but they serve the same
purpose. In either case, the electronic token is created and encoded on
the iButton or smart card using the Election Management System.

Zero-total report. Zero totals are automatically printed by the scanners on paper tape. Note
that no zero report is needed for the ballot-marking devices (BMDs).

Ballot selection. Authorization to vote and ballot selection are done using smart cards
generated by the Election Management System. A poll worker enters the ballot style, and the
software writes it on a smart card in a secure way. The voter then takes the smart card to any
voting station to vote. The voter cards are automatically cleared after voting, so they cannot be
reused. Also, as a backup, a poll-worker card can be inserted into the voting station to allow
manual selection of the ballot style.

Page 2
 Voting. Voting is done on the touch screen of the
ImageCast X BMD, or ballots can be marked manually.

Transfer Results. Vote totals are transferred from the

ICP precinct scanner to central count using a removable
memory device.

Print precinct results. Precinct results are printed by

the precinct scanner on paper tape.

Straight party / crossover. Straight-party voting

and crossover voting both work properly.

Accessibility. Verification of accessibility is performed independently by the office of the

Secretary of State, but the examiners had the opportunity to see the accessibility components.

Comments
The use of many COTS components should reduce the cost of D-Suite significantly. If this
savings is passed on to the jurisdictions, then that’s a very significant advantage.

The optical scanner has a clever feature that appends to each ballot image an “audit mark” that
records in plain text how the ballot was interpreted by the scanner.

Although D-Suite can accommodate jurisdictions of all sizes, the client-server configuration
submitted for certification has a minimum of one server and one workstation. We did not
examine the single-computer configuration, which would be more appropriate for small counties.

Problems Identified in the Prior Exam on January 16-17, 2019

Crossover Votes. In the January exam we saw a problem with handling crossover votes after
a straight-party selection. Dominion has fixed that problem.

Adjudication results can be lost. In the January exam, during adjudication of the ballots in
the test election, one of the Dominion representatives made a series of mistakes that caused the
entire batch of adjudication results to be lost. We did not see this problem again during this
exam, but the adjudication system is unchanged, so this vulnerability is still present.

Recommendation: Certification should be denied.

DRE station failure. Examiner Brian Mechler discovered in January that simply unplugging and
reconnecting the cord that supplies power to the VVPAT from the Android tablet will usually
cause the tablet to fail. Since Dominion is not submitting their DRE station for certification, this
problem is not relevant to this exam.

Voter May have to Start Over. In January the printer tray became ajar during voting, and the
system did not notice until the voter attempted to cast his ballot. The system would not accept
the ballot and all the voter’s choices were lost. A poll worker card was required to clear the
problem. In this exam, we were unable to reproduce this problem, so perhaps it was fixed by
the software upgrade.

Page 3
Concerns
1. Installation is complex, error prone, and tedious. I counted 184 steps in their
installation manual before deciding to estimate the remaining steps. I estimate a total of about
500 steps are required to install the software. I did not count steps that merely said something
like “Click OK” or “Click Next.” This installation manual is 412 pages long with an additional 23
pages of front matter -- contents, lists of figures, and the like.

Some of these steps were quite simple, but some were lengthy with several “if” clauses. Here is
a sample step:

In the Command Prompt, run the following command, where X is the drive letter of the
DVD-ROM drive where the Windows installation media is located:

Dism /online /enable-feature /featurename:NetFx3 /All /Source:X:nsourcesnsxs

/LimitAccess

According to the Dominion representatives, there are eight Windows services that must be
started in a certain order; however, the order that steps must be done is not the same as the
order they appear on the menus of the Dominion product.

The installation we witnessed took all day. Apparently, a mistake was made (accidently skipping
one of the reboot steps) and the Dominion representatives, although clearly knowledgeable,
were not able to recover before we broke for lunch. This was despite telephone consultations
with other Dominion experts and the use of a troubleshooting guide that Dominion declined to
make available to the examiners. Over lunch they decided to start the installation over, and it
was successful the second time, finishing before the end of the day. Altogether, the installation
took about 8 hours.

Recommendation: Certification should be denied.

2. Test Voting. During our voting test, we discovered that some party names and
proposition text were not displayed, and one scanner was not accepting some ballots. These all
turned out to be errors Dominion made in setting up the standard test election used by the
Secretary of State. In the case of the scanner, it had accidently been configured not to accept
machine-marked ballots. The other problems were caused by leaving some fields empty during
election setup, something that the EMS software should not allow, or at least highlight.

Recommendation: Certification should be denied.

3. Misleading Message. The ballot-marking devices incorrectly informed voters that

they were casting their ballots, when in fact they were only printing them. The ballots are not
be counted until they were scanned on a different device.

Recommendation: Certification should be denied.

4. Disappearing Message. At one point while scanning ballots, something flashed on

the display so briefly we could not read it. After several attempts to re-scan the ballot, we were
able to discern that it was a message reading “Ambiguous Marks” that was displayed for a
second or less. It then reverts to the “System Ready” message. The voter has no way of
knowing what, if anything, is wrong since the error message does not persist long enough to
read it.

Page 4
Furthermore, the message is confusing. It would be better to say something like “Cannot read
ballot.”

Recommendation: Certification should be denied.

5. USB Port Vulnerability. The ICX ballot-

marking device has an indicator light on top to
show poll workers when the station is in use. That
light is connected by a USB port.

When Brian Mechler’s phone was attached to the

USB port, the ICX scanned the files on his phone
and did not complain, although Dominion later
showed that the event was logged. When a USB
drive with files was inserted, the ICX sometimes
complained and sometimes did not, apparently
according to the content of the USB drive and
whether it was present when the ICX was first
powered up or inserted later.

Recommendation: Certification should be denied

unless either (a) the indicator light is removed from
the certified configuration or (b) a way is found to
secure the USB connection to the light.

Conclusion
I like the idea of using COTS components to save
taxpayer money, and Dominion has done a good
job of finding COTS components and minimizing the number of custom components.

Nevertheless, I cannot recommend certification. Computer systems should be designed to

prevent or detect human error whenever possible and minimize the consequences of both
human mistakes and equipment failure. Instead the Democracy Suite 5.5-A is fragile and error
prone. In my opinion it should not be certified for use in Texas.

If certification should be granted, it should be with the condition that all open network and USB
ports be sealed.

Page 5