secure select use procedures and technical specification · 2019-06-27 · page 6 of 26 step 1:...

SecureSelectUseProceduresandTechnicalSpecificationVERSION2.0PREPAREDFORCALIFORNIASECRETARYOFSTATE

of26

TableofContents

TableofContents..........................................................................................................................................2

SecureSelectUseProcedures........................................................................................................................3

1. Introduction...........................................................................................................................................31.1. TermsandDefinitions............................................................................................................................................41.2. Systemdescriptionandcomponents.....................................................................................................................4

2. BallotDefinition.....................................................................................................................................72.1. Paperandprintingspecifications...........................................................................................................................72.2. PrintedSelectionSpecification...............................................................................................................................72.3. PrintedBarcodeSpecification................................................................................................................................7

3. ElectionSet-upandDefinition................................................................................................................73.1. Programmingandconfigurationofelectionmanagementsystem/software........................................................73.2. Programmingandconfigurationofvoterecording/tabulationdevices.................................................................83.3. Systemdiagnostictestingprocedures....................................................................................................................83.4. Logicandaccuracytesting......................................................................................................................................9

4. SystemInstallationandConfiguration..................................................................................................104.1. Hardwarerequirementsandspecifications.........................................................................................................104.2. Hardwareandnetworkset-upandconfiguration................................................................................................104.3. Softwareinstallationandconfiguration...............................................................................................................104.4. AcceptanceTesting..............................................................................................................................................104.5. Softwareandfirmwareupgrades.........................................................................................................................13

5. PollingPlaceProcedures.......................................................................................................................13

6. Absentee/MailBallotProcedures(CentralTabulation).........................................................................13

7. OfficialCanvassandPost-ElectionProcedures......................................................................................137.1. Post-electionlogicandaccuracytesting..............................................................................................................137.2. Back-upandRetentionofelectionmaterial.........................................................................................................13

8. Security................................................................................................................................................148.1. Physicalsecurityofsystemandcomponents.......................................................................................................148.2. User-levelsecurity................................................................................................................................................148.3. Proceduresforverifying,checking,andinstallingessentialupdatesandchanges..............................................148.4. BallotAudittrail...................................................................................................................................................15

AppendixA:WCAG2.0Conformance..........................................................................................................16

of26

AppendixB:BallotDataSpecification..........................................................................................................18

AppendixC:QRCodeSpecification..............................................................................................................20

AppendixD:SecureSelectTechnicalDetails................................................................................................21

1. ArchitectureandCodebase...................................................................................................................211.1. SecureHosting......................................................................................................................................................221.2. ScalableArchitecture............................................................................................................................................231.3. FlexibleArchitecture............................................................................................................................................241.4. ApplicationReviewandCertification...................................................................................................................24

2. SourceCodeVerification......................................................................................................................252.1. StoringtheSecureSelectHashCode....................................................................................................................252.2. HowtouseHashCodeVerification......................................................................................................................25

AppendixE:AcceptanceTestingTables.......................................................................................................26

SecureSelectUseProcedures

1. IntroductionAbsenteeballotingiscomposedoffourmaincomponents:1)Voterauthentication,2)Obtainingballotreturnmaterials,3)Markingballotselections,and4)Returningmarkedballottothelocalelectionsoffice.SecureSelectisacloudbasedapplicationfocusedsolelyonballotmarking.Separatingballotmarkingasamicroserviceintroducesflexibilitytocountiesandseveralbenefitstovoters.

SecureSelectwasdesignedfromthegrounduptomeetthehighestlevelsofaccessibility.ItsatisfiesallWCAG2.0guidelinesincludingscreenreadercompatibility,fullkeyboardaccess,andcolor,contrastandfontsizingrequirements(seeAppendixAfordetails).SecureSelectiscompatiblewithmacOSandWindowsscreenreadersincluding,butnotlimitedto,thefollowing:

OperatingSystem WebBrowser ScreenReaderWindows10 InternetExplorer11,Edge14 NarratorWindows10 Firefox NVDAmacOS10.12 Safari10.1 VoiceOver

of26

PertheCaliforniaStateElectionscodeforballotmarking,SecureSelectdoesnotrequire,norallowinteractionwitharemoteserverduringtheballotmarkingprocess.OncetheSecureSelectapplicationisloadedfromthecloud,nofurtherconnectiontotheserver,orInternetisrequired.

1.1. TermsandDefinitionsBallotDefinitionFile–Afilecontainingalldataneededtodisplayaspecificballotstyle(headers,contest,measures,candidates,candidateorder,etc.).BallotDefinitionFilesarestoredonaremoteserverandaredownloadedandparsedbySecureSelecttoballotstylestovoters.

Box–Whenusedinthecontextofaballot,representsanycontentonaballotsuchascontests,measuresorpropositions(whicharetypicallyenclosedinabox).

Option–Whenusedinthecontextofaballot,representsanymarkablecontentonaballotsuchascandidates,measureresponses,orwrite-ins.

Microservice–Anapplicationorservicewithanisolatedsetoffunctionalitymeanttobeusedaspartofalargerapplicationorworkflow.

URL–Alocationontheinternetaccessiblebytypingitintoawebbrowser

QRCode–Amachine-readablecodeconsistingofanarrayofblackandwhitesquares,typicallyusedforstoringinformationforreadingbythecameraonasmartphone.

1.2. SystemdescriptionandcomponentsSecureSelectiscomposedofthreemaincomponents.ABallotDefinitionFileiscreatedandpassedintoSecureSelect.SecureSelectparsestheBallotDefinitionFileandpresentsaballotstyletothevoter.ThevotercanoptionallyuseaScreenReadertonavigatethroughtheballot.Aftermarkingtheirballotandreviewingtheirselections,thevotercanprinttheirselections.

1.2.1. BallotDefinitionFilesBallotDefinitionFilesmustmeettheBallotDataSpecificationdefinedinAppendixEandbehostedatapubliclyaccessibleURL.OncetheBallotDefinitionFilehasbeenuploaded,itcanbepassedintoSecureSelectusingthefollowingformat.

ExampleURL:https://ss.liveballot.com?data=DEFINITION_URL&lang=LANG_CODE

of26

• data–Anabsoluteurl(includinghttps://)toaBallotDefinitionFile• lang–Alanguagecodespecifyingwhichlanguagetodisplaytothevoter.Allowedlanguagecodesareen

(English),es(Spanish),zh-hans(SimplifiedChinese),andzh-hant(TraditionalChinese).

1.2.2. BallotMarking(theSecureSelectApplication)SecureSelectisanHTML5SinglePageApplication(SPA)thatrunsinsidewebbrowser.Duringpageload,SecureSelectdownloadsandstoreseverythingitneedstorun.Afterpageload,theapplicationlogiciscompletelyisolatedtothebrowserwindow.Thevoteristakenthroughthefollowingpageswithoutanyservercommunication:

Instructions-ClearinstructionsarepresentedtothevoterdetailinghowtonavigateSecureSelectandwhatstepstheywillbetakenthrough.ThevoterclicksContinuetoprogresstotheBallotMarkingscreen.

Exercise:UnderstandhowtopassaballotdefinitionfileintoSecureSelect

Step1:SecureSelecthasabuiltindatafilethatcanbeusedtohelpunderstandtheprocess.Thisfileispubliclyaccessiblebyenteringhttps://ss.liveballot.com/app/assets/multilingual.jsoninawebbrowser.EnterthisURLintoabrowsertoviewthedatafile.

Step2:PassthisURLintoSecureSelectusingthedataparameter.UsetheexampleURLprovidedaboveandreplaceDEFINITION_URLwith“https://ss.liveballot.com/app/assets/multilingual.json”.ReplaceLANG_CODEwith“en”touseEnglish.ThefinalURLwilllooklikethis:https://ss.liveballot.com?data=https://ss.liveballot.com/app/assets/multilingual.json&lang=en

Step3:Finally,replace“en”with“es”inurlabovetoshowaSpanishballot.ThefinalURLwilllooklikethis:https://ss.liveballot.com?data=https://ss.liveballot.com/app/assets/multilingual.json&lang=es

of26

Step1:BallotMarking–Thevotercanmarktheirballotusingtheirkeyboard,mouse,oranyassistivetechnology.Votersarepreventedfromover-votingcontestswithaclearwarning.

Ifawrite-incandidateisselected,atextfieldisprovidedtoenteracandidatename.

Aftermarkingselections,thevoterclicksContinuetoprogresstotheSelectionReviewscreen.

Step2:SelectionReview–Thevoterispresentedwithasummaryoftheirselections.Theyarenotifiediftheyaremissinganyselectionsforanycontests.ClickingChangenexttoanycontestwilltakethevoterdirectlytothatcontestontheBallotMarkingscreen.Afterreviewingselections,thevoterclicksContinuetoprogresstothePrintSelectionsscreen.

of26

Step3:BallotPrinting–ThevoterprintstheirballotwhichcontainsaQRcoderepresentingtheirselections.Aftertheselectionshavebeenprinted,thevoterclicksEndSessiontoprogresstotheCompletescreen.

Complete–Thevoterselectionsareclearedfrommemoryandthevoterispresentedwithathankyoumessage.

2. BallotDefinition

2.1. PaperandprintingspecificationsTheprintedoutputfromSecureSelectisdesignedtoprintfromatypicalhomecomputeronUSLetter(8.5x11)paper.

2.2. PrintedSelectionSpecificationTheprintedoutputfromSecureSelectincludestheoptionsmarkedbythevoterforeveryboxontheballot.Theprintedoutputisintendedtobearepresentationofthevoter'sselections,notoftheentireballot.Ifthevoterdidnotmarkanyselectionsforabox,thetext"NoSelections"isincludedtoclearlyidentifywherenoselectionshavebeenmade.

2.3. PrintedBarcodeSpecificationTheprintedoutputfromSecureSelectincludesaQRCoderepresentingthevoter'sselections.TheQRCodedoesnotincludeanyvoterinformationandcanbescannedusinganymodernsmartphoneor2dbarcodereader.TheQRCodeisincludedtoallowforintegrationwith3rdpartysolutionssuchasautoduplicationsoftware.TheQRCodedataspecificationcanbefoundinAppendixC.

3. ElectionSet-upandDefinition

3.1. Programmingandconfigurationofelectionmanagementsystem/softwareSecureSelectisamicroservicefocusedonaccessibleballotmarking.ThereisnoelectioncreationorballotconfigurationinSecureSelect.TheseprocesseshappenoutsideofSecureSelectinanElectionManagementSystem(EMS),athirdpartyballotbuildingsoftware,Excel,etc.Onceelectiondatahasbeenprepareditshouldbeexportedorconvertedto

of26

JSONfilesconformingtotheBallotDataSpecificationdefinedinAppendixB.ThefollowinglistoutlinesthreepopularoptionsforgeneratingBallotDefinitionFiles:

1) Exportdatafromexistingsoftware–Ifyourcountyhaselectiondataalreadyloadedintoanothersoftware,askyourvendoriftheycanexportthedataorgenerateareporttomeettheBallotDataSpecification.Forexample,currentandfuturesolutionsprovidedbyDemocracyLiveincludedataexportsthatmeetstheBallotDataSpecification.

2) ProvideExcelorCSVfilesforconversion–ItiscommonforcountiestouseExcelfilestoorganizeelectiondata

beforeanelection.Thesefilestypicallyincludeastructuredwayofassociatingcontests,candidates,ballotstyles,precincts,andevenrotation.Adeveloper(eitherinternalIT,acontractdeveloper,oravendor)canwriteascripttoconvertExcel(orCSV)filesintoBallotDefinitionFiles.Itisimportantforthecountyandthedevelopertoagreeonatemplatetoensureastreamlinedprocessinfutureelections.DemocracyLivetechnicalsupportrepresentativescanworkwithcountiestocreateacustomscriptforballotdatafilegeneration.DemocracyLivecanalsoworkwithinternalITstafftohelpsetupascripttobeusedinternally.

3) Manuallycreateballotstyles–ThisapproachdoesrequireknowledgeofhowtowriteJSONdata.Thismethodis

greatforsmallelectionswithlimitednumberofballotstylesandcontent.ThebestwaytousethismethodistocopyanexistingBallotDefinitionFileandthenmodifythecontent.ThereareseveralonlineresourcestohelpwriteandvalidateJSONdatasuchas:https://jsonformatter.org

3.2. Programmingandconfigurationofvoterecording/tabulationdevicesSecureSelectisonlyaballotmarkingsolutionanddoesnotrecordortabulatevoterdata.

3.3. SystemdiagnostictestingproceduresSecureSelectmustbeonlineatalltimesforvoterstomarkandprinttheirballotselections.SecureSelectincludesapingURLwhichcanbeaccessedatanytimetoverifythesystemisonline.AccessingtheURLwillreturna200responseheaderandtextiftheapplicationisavailableandworking.

PingURL:https://ss.liveballot.com/ping

TheSecureSelectapplicationishostedontwoormoreparallelserversatalltimes.DemocracyLivemonitorsthisendpointoneachserver24/7todetectanyserviceinterruptions.Ifaserverdoesnotreturna200response,itisflagged

of26

asunhealthyandisdecommissioned.AnewSecureSelectserveriscreatedandaddedtotheloadbalancerensuringthereisalwaystwohealthyserversavailable.AdditionalinformationregardingSecureSelect’sserverconfigurationisavailableinAppendixD.

3.4. LogicandaccuracytestingBallotDefinitionFileswillbegeneratedforeachballotstyleinanelection.ElectionsofficialsareencouragedtotesteachBallotDefinitionFiletoverifySecureSelectdisplaysballotcontentcorrectly.

3.4.1. Pre-conditionsforperformanceoftestsToconducttestinginSecureSelect,thefollowingstepsmustbefollowed:

1. StoreBallotDefinitionFilesonserverwithapubliclyaccessibleURL.2. CreateanExceldocumentwiththreecolumns:Name,URL,Status.IfyouworkwithavendortogenerateBallot

DefinitionFiles,requestafileinthefollowingformat:

Name URL StatusStyle1–En https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=en Style1–Es https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=es Style2–En https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=en Style2–Es https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=es

URLFormat:https://ss.liveballot.com?data=DEFINITION_URL&lang=LANG_CODE

3.4.2. AccuracyTestproceduresForeachURLdefinedinthefilegeneratedin3.4.1,performthefollowingtasks:

1. VisittheURLinawebbrowser.2. Verifytheballotcontentiscorrectlydisplayed.3. Iftheballotstyleiscorrect,type“Approved”intheStatuscolumn.4. Iftheballotstyleisincorrect,enterareasonfortheerror.IfyouareworkingwithavendortogenerateBallot

DefinitionFiles,thenotesprovidedinthestatuscolumnwillhelpwitherrorcorrection.

3.4.3. LogicTestproceduresLoadaBallotDefinitionFilefromthefilegeneratedin3.4.1andtestthefollowing:

1. Over-voteProtection–Ensurevotersarenotabletoover-voteforacontest.2. CorrectReviewPage–Confirmselectionsandwrite-insarecorrectlyshownonthereviewpage.3. NoSelectionWarning–Confirmawarningisshownonthereviewpageifnoselectionsaremade.4. UnderVoteProtection–Confirmanunder-votewarningisshownifnotallselectionsaremadeforacontest

withmorethanoneselectionavailable.5. PrintSelections–Confirmselectionsandwrite-insarecorrectlyprinted.6. QRCode–ScantheQRcodewithasmartphoneandconfirmtheselectiondatarepresentstheprintedoutput.

3.4.4. RetentionofTestmaterialsThepaperballotsgeneratedfromthistestingshouldbesavedunderthecounty'snormalelectionsdocumentsavingprotocolsandrequirements.

of26

4. SystemInstallationandConfiguration

4.1. HardwarerequirementsandspecificationsSecureSelectisacloudbasedsolution.Thereisnosoftwareinstallationorconfigurationrequired.TherearenohardwarerequirementstouseSecureSelectoutsideofwhatisrequiredtorunaninternetbrowser.

4.2. Hardwareandnetworkset-upandconfigurationSecureSelectisdeliveredtovotersovertheinternetusingSSLencryption.UsersmusthaveaninternetconnectionandawebbrowsercapableofaccessingawebsiteusingSSLencryption.

4.3. SoftwareinstallationandconfigurationSecureSelectisacloudbasedsolution.Thereisnosoftwareinstallationrequired.VoterscanusethedefaultwebbrowserthatcomeswiththeircomputertoaccessSecureSelect.

4.3.1. CustomInstallationsSecureSelectcanbeinstalledonanyLinux,FreeBSD,orWindowsservers.DemocracyLivetechnicalsupportrepresentativescanassistITadministratorswithcustominstallationsuponrequest.

4.4. AcceptanceTestingSecureSelecthasanarrowscopeoffunctionalitylimitedtotheaccessibledisplay,marking,andprintingofballotselections.Thepurposeofthisdesignistoprovideamodularapplicationcapableofintegratingwithnewandexistingsoftware.Assuch,therearefourkeypointsoftestingrequiredforSecureSelect:

1. GeneralFunctionality–Doestheapplicationallowvoterstoview,mark,andprinttheirselectionsaccurately?2. ScreenReaderAccessibility–Istheapplicationfullyfunctionalbyusingascreenreader?3. KeyboardAccessibility–Istheapplicationfullyfunctionalbyusingonlykeyboardcontrols?4. VoterPrivacy–Doestheapplicationworkwithouttransmittinganyvoterdatatoaremoteserver?

TheAcceptanceTestingTablesinAppendixEcanbeprintedtokeeptrackoftestitemsandtheirstatus.

4.4.1. TestingGeneralFunctionalityThefollowingstepscanbetakentotestthegeneralfunctionalityofSecureSelect.

4.4.1.1. Setup1. OpenaSecureSelectURLfromthefilegeneratedin3.4.1.Youmayalsouse

https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.

4.4.1.2. TestItems1. Readtheon-screeninstructionsandclickContinue.2. Readtheinstructionsatthetopofthepage.3. Clickoncandidatestomarkaselection.Clickonacandidateagaintodeselect.4. Clickonthecheckboxnexttoacandidatetoverifyittogglesselectionsaswell.5. Trytoover-voteforacontest.Verifyanovervotewarningisdisplayed.

of26

6. Verifyatextfieldispresentedtoenteracandidatenamewhencheckingawrite-incandidate.Fillinawrite-incandidate.

7. Leaveatleastonecontestwithoutanyselections(tobeusedlater).8. ClickContinue9. ConfirmtheselectionsontheReviewPageareaccuratelydisplayed10. Clickchangenexttoaselection.VerifyittakesyoutothespecificcontestontheBallotMarkingPage.11. Changetheselection.VerifythereisashortcutlinktogobacktotheReviewPage.12. GobacktotheReviewPageandconfirmchangeshavebeenmade.13. Confirmwrite-invaluesareaccuratelypresentedontheReviewPage.14. ClickContinuetocontinuetothePrintSelectionspage.15. ClickthePrintSelectionbutton.Confirmaprintdialogistriggered.16. Printtheselectionsandconfirmtheyareaccuratelyprinted.17. GobacktoSecureSelectandclickEndSession.18. ReturntothetestingURL,clickcontinue,andverifyyourselectionsarenolongervisible.

4.4.2. ScreenReaderAccessibilityForScreenReadertesting,verifyallTestItemsunder4.4.1TestingGeneralFunctionalityareaccessibleusingscreenreaderspecifickeycommands(thesearedifferentthantheinstructionsshownontheinstructionspage).


https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.2. Turnonthescreenreaderusingthecommandsbelow.Whenthescreenreaderisactivated,itisimportantto

focusonlyonwhatyouhearfromthescreenreader.Itcanbehelpfultocloseyoureyeswhiletestingtoavoidbeingdistractedbythescreenreader’sfocuselementmovingonthepage.

3. Thewebbrowsershouldhavefocuswhileusingthescreenreader.Ifthefocusischangedoutsideofthewebbrowser,usethemousetoclickbackintoSecureSelect.RefreshSecureSelecttoallowthescreenreadertoreinterprettheapplication.

4. Usethescreenreader’sspecifickeyboardcommands(notthekeyboardcommandsdisplayedonscreenforsightedvoters)tonavigatetheapplication

a. macOS–VoiceOveri. PressCommand-F5tostartVoiceOverii. PressControl-Option-RightArrowandControl-Option-LeftArrowtonavigatebetweencontentiii. PresControl-Option-Spacebartoactivateanoption

b. Windows–Narratori. PressWindowsKey+Entertoopenwindowsnarratorii. PresstheCapsLockKey+Spacetoturnonscanmode.Scanmodeisaneasywaytonavigate

throughapage.UseItomovebetweenitems,Htomovebetweenheaders,andpresstheSpacebartoactivateanitem.HolddownShift+Iand/orShift+Htoreversethedirectionofthepreviouscommands.

iii. Narratorwillexitscanmodeiftheapplicationchanges.Ifthescreenreaderbeginsreadingtheletterofeachkeywhenpressed,pressCapsLock+Spaceagaintore-enterscanmode.

of26

iv. Whenenteringawrite-in,NarratorwillaskyoutopressSpacetoentereditmode.Whenyouaredoneenteringtext,youmustpressCapsLock+Spaceagaintogobacktoscanmodetocontinue.

v. AdvancedUsage:HoldingdowntheCapsLockKey,usetheUpandDownarrowkeystochangethereadingmode.Inaspecificreadingmode,holdtheCapsLockkeyandpresstheLeftandRightarrowstonavigate.DifferentreadingmodesaresuitablefordifferentscenariosandcanbeusedinconjunctionwithScanmode.FormoreinformationaboutreadingusingNarrator,visitthishelparticle:https://support.microsoft.com/en-us/help/22809.

4.4.2.2. TestItems1. Verifytheon-screeninstructionsonpageonearenotreadbythescreenreader.2. ContinuetoBallotMarking3. Verifyyoucanmarkselectionsusingscreenreader’sspecifickeyboardcommandsandunmarkselections4. Verifyovervotewarningsarereadwhenattemptingtoovervote5. Verifyyoucanwriteincandidates6. Verifyselectionsareclearlyreadwhennavigatingupanddownthepage

4.4.3. KeyboardAccessibilityAlargecomponentoftheWCAG2.0accessibilityguidelinesincludeskeyboardcontrols.VerifyallTestItemsunder4.4.1TestingGeneralFunctionalityareaccessibleusingonlyyourkeyboard.


https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.2. Disconnectyourmouseorplaceoutofreachtoensurethemouseisnotusedforanyfunctionalityduring

testing.

4.4.3.2. TestItems1. Verifythekeyboardcontrolspresentedintheon-screeninstructionsoperateasexpected.Specifically,testthe

up,down,left,rightarrowkeys,thespacebar,andthe+and-keys.2. Verifythetextcanbezoomedto200%oftheoriginalsize3. Verifykeyboardfocusisclearlypresentedwhenmovingaroundthescreen(avisualindicationshouldshowyou

whereyouareatalltimes).

4.4.4. VoterPrivacyVoterprivacyisprotectedinSecureSelectbyeliminatingallnetworkcommunicationwithremoteserversandbyclearingvoterselectionsattheendoftheirsession.OnceSecureSelecthasloaded,allactionsthevotertakeshappenontheirlocalmachine.


https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.2. Usedevelopertoolstoopenthenetworkinspectorinyourbrowser.Thenetworkinspectorwillshowyouall

communicationsenttolocalorremoteserversinrealtime.a. InChrome:OpenView>Developer>DeveloperTools.ThenclickontheNetworktab

of26

b. InInternetExplorerandEdge:OpenDeveloperToolsandclickontheNetworkTab

3. Ifthereisanynetworkactivity,clicktheclearbuttontoclearitout4. (Optional)Disconnectfromtheinternet

4.4.4.2. TestItems1. WiththeNetworktabopenunderDeveloperTools,completeallitemsinsection4.4.1TestingGeneral

Functionalityabove.Aftereachaction(selectingordeselectingacandidate,enteringawritein,navigatingbetweenpages,andprintingyourselections)verifynonetworkactivityisshown.

4.5. SoftwareandfirmwareupgradesDemocracyLivemaintainsapplicationserverswithregularsecurityandsoftwareupdates.OnlyapprovedupdatestoSecureSelectwillbedeployedduringanapprovedupdatewindow.TheCaliforniaSecretaryofStatecanconfirmnounapprovedsoftwareupdateshavebeendeployedbyverifyingtheapplicationsourcecodehash(seeAppendixDfordetails).

5. PollingPlaceProceduresSecureSelectisnotintendedforpollingplaceuse.

6. Absentee/MailBallotProcedures(CentralTabulation)TheselectionsmadebythevoterusingSecureSelectareprintedandsubmittedbacktotheCountypertheStateandCountyrequirements.TheCountywillthenduplicateortranscribethevoter'sintentontotabulatableballots,pertheCountiesstandardduplicationprocedures.

7. OfficialCanvassandPost-ElectionProcedures

7.1. Post-electionlogicandaccuracytestingItisrecommendedtheCountyconductapost-electiontestofSecureSelect,showingballotselectionswereprintedasintended.CountydoesthisbyprintingatestsetofballotsviaSecureSelect.

7.2. Back-upandRetentionofelectionmaterialBallotsreturnedfromSecureSelectusersshouldberetainedpercountydocumentretentionrequirements.

of26

8. Security

8.1. PhysicalsecurityofsystemandcomponentsDemocracyLiveutilizesaproven,cloudbasedplatformtosecurelyhostSecureSelect.Ourhostingprovider’sdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Thedatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.

Ourhostingprovideronlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployee.Allphysicalaccesstodatacentersbyemployeesisloggedandauditedroutinely.

Formoreinformationonhostingsecurity,pleaserefertoAppendixD.

8.2. User-levelsecurityDemocracyLiveemploysmultiplelevelsofusersecuritythroughouttheSecureSelectdevelopmentlifecycle.AccesstotheSecureSelecthostingenvironmentisrestrictedtoapprovedserveradministrators.Serveradministratorsmustusetwo-factorauthenticationtoaccessandmanagetheserverenvironments.Additionally,accesscontrollists(ACL)preventanyconnectionstoSecureSelectserverswithoutpriorapproval.

TheSecureSelectcodebaseisstoredinasecurecoderepository.AccessislimitedtodevelopersandrequiresanSSHconnectionviaapprovedSSHkeys.Allcodechangesappliedtotherepositoryareauditableandincludethedeveloper,changesmade,andareasonforthechanges.

8.3. Proceduresforverifying,checking,andinstallingessentialupdatesandchangesSecureSelectishostedinasecure,cloudbasedserverenvironment.SecureSelectserversareinstalledonclusterednodescapableofscalingtomeethigherloadsduetospikesinnetworktraffic.Criticalsecuritypatchesareappliedimmediatelybyimplementingautomaticupdatesforcriticalsecuritypatches.Minorupdatesareperformedduringlowtraffictimesoutsideofactiveelections.Serveradministratorsperformupdateswithzerodowntimebyusingthefollowingupdateworkflow:

1. TheserveradministratorprovisionsanewnoderunningaSecureSelectserver.2. Allupdatesandpatchesareappliedtothenewnode.3. ThenewnodeistestedtoverifySecureSelectisrunningcorrectly.4. Thenewnodeisthenaddedtotheloadbalancer.UsertrafficisnowdirectedtothenewSecureSelectnode.5. Afterthenewnodeisaddedtotheloadbalancer,anexistingnode(needingupdates)isremovedfromtheload

balancerandisdecommissioned.6. Thisprocessisrepeateduntilallnodesinthenodeclusterarerunningupdatedsoftware.

of26

8.4. BallotAudittrailCountyadministratorshouldensurethenumberofballotsreturned,matchthenumberofballotsduplicatedandsubmittedfortabulation.

of26

AppendixA:WCAG2.0ConformanceGuideline Pass TechniquePrinciple1–Perceivable AAA Guideline1.1–TextAlternatives 1.1.1Non-textContent–LevelA Yes Limiteduseofgraphiccontent.Textalternativesprovidedforgraphicsandiconswhen

necessary.Guideline1.2–Time-basedMedia n/a 1.2.1Audio-onlyandVideo-only(Prerecorded)–LevelA n/a 1.2.2Captions(Prerecorded)–LevelA n/a 1.2.3AudioDescriptionorMediaAlternative(Prerecorded)–LevelA n/a 1.2.4Captions(Live)–LevelAA n/a 1.2.5AudioDescription(Prerecorded)–LevelAA n/a 1.2.6SignLanguage(Prerecorded)–LevelAAA n/a 1.2.7ExtendedAudioDescription(Prerecorded)–LevelAAA n/a 1.2.8MediaAlternative(Prerecorded)–LevelAAA n/a 1.2.9Audio-only(Live)–LevelAAA n/a Guideline1.3–Adaptable Yes 1.3.1InfoandRelationships–LevelA Yes Useoflandmarks,roles,labels,headings,semanticmarkup,andstructuredHTML.Useof

CSStocontrolvisualdisplay1.3.2MeaningfulSequence–LevelA Yes Contentorderedfromtoptobottom.DOMordermatchesvisualorder.1.3.3SensoryCharacteristics–LevelA Yes Warningiconsareaccompaniedbywarningtext.Guideline1.4–Distinguishable Yes 1.4.1UseofColor–LevelA Yes Warningtextisaccompaniedbyagraphicicon,boldtypeface,andthewordwarning.

CSSisusedtochangevisualrepresentationofitemswithfocus.1.4.2AudioControl–LevelA n/a 1.4.3Contrast(Minimum)–LevelAA Yes Alltextandbackgroundtextmeeta4.5:1contrastratio.Warningtextisalsoboldand

16ptforreadability.1.4.4Resizetext–LevelAA Yes Textcanberesizedto200%usingthe+and-keys1.4.5ImagesofText–LevelAA n/a 1.4.6Contrast(Enhanced)–LevelAAA Yes Allregulartextisa7:1contrast.Alllargetextisatleasta4.5:1contrast.1.4.7LoworNoBackgroundAudio–LevelAAA Yes Nobackgroundaudioused.1.4.8VisualPresentation–LevelAAA Yes HeadersspecifytextandbackgroundcolorsinCSS.Bordersareusedtoseparate

content.Maintextdoesnotusetextorbackgroundcolorattributes.1.4.9ImagesofText(NoException)–LevelAAA Yes Noimagesoftextareused.Principle2–Operable Guideline2.1–KeyboardAccessible Yes 2.1.1Keyboard–LevelA Yes Allelementsandfunctionalityareaccessibleviakeyboardusingtabandarrowkeys.2.1.2NoKeyboardTrap–LevelA Yes Noelementstrapkeyboardfocus.2.1.3Keyboard(NoException)–LevelAAA Yes Allelementsandfunctionalityareaccessibleviakeyboardusingtabandarrowkeys.Guideline2.2–EnoughTime Yes 2.2.1TimingAdjustable–LevelA Yes Notimelimitsareimposedonusers.2.2.2Pause,Stop,Hide–LevelA Yes Nomoving,blinking,scrolling,orautoupdatinginformation.2.2.3NoTiming–LevelAAA Yes Notimelimitsareimposedonusers.2.2.4Interruptions–LevelAAA Yes Nointerruptionsarepresentedtousers.2.2.5Re-authenticating–LevelAAA Yes Usersdonothaveexpiringsessions.Guideline2.3–Seizures Yes 2.3.1ThreeFlashesorBelowThreshold–LevelA Yes Noflashing2.3.2ThreeFlashes–LevelAAA Yes NoflashingGuideline2.4–Navigable Yes 2.4.1BypassBlocks–LevelA Yes Usingheadings,landmarks,andsemanticHTML.Alsodonotuserepeatedblocks.

of26

2.4.2PageTitled–LevelA Yes AllpageshaveanH1titletag.2.4.3FocusOrder–LevelA Yes Yes,allitemsarefocusableusingtaborarrowkeys.2.4.4LinkPurpose(InContext)–LevelA Yes Alllinksusetextthatdescribeswhatthelinkdoes.2.4.5MultipleWays–LevelAA Yes Theapplicationisastepbystepprocesswithforwardandbackwardnavigation.2.4.6HeadingsandLabels–LevelAA Yes Structuredheadingsareusedoneverypage.Allinputelementsareproperlylabeled.2.4.7FocusVisible–LevelAA Yes Aclearfocusindicatorhighlightsthefocusofallactiveelements.2.4.8Location–LevelAAA Yes Pagestepsareclearlyidentifiedusingxofyformat.2.4.9LinkPurpose(LinkOnly)–LevelAAA Yes Alllinksusetextthatdescribeswhatthelinkdoes.2.4.10SectionHeadings–LevelAAA Yes Allpagecontentisseparatedbyhierarchaluseofheadings.Principle3–Understandable Guideline3.1–Readable Yes 3.1.1LanguageofPage–LevelA Yes Langattributeisappliedtohtmlelement3.1.2LanguageofParts–LevelAA Yes Fullpagecontentistranslatedincludingballotcontent.3.1.3UnusualWords–LevelAAA Yes Simple,commonlanguageisusedthroughouttheapplication.3.1.4Abbreviations–LevelAAA Yes Noabbreviationsareused.3.1.5ReadingLevel–LevelAAA Yes Simple,commonlanguageisusedthroughouttheapplication.3.1.6Pronunciation–LevelAAA Yes Simple,commonlanguageisusedthroughouttheapplication.Guideline3.2–Predictable Yes 3.2.1OnFocus–LevelA Yes Focusisshown,butdoesnotchangecontextorcontent.3.2.2OnInput–LevelA Yes Changinganyinputvaluedoesnotchangefocusorcontext.3.2.3ConsistentNavigation–LevelAA Yes Navigationisthesameoneverypage,inthesameplace,usinganavigationrole.3.2.4ConsistentIdentification–LevelAA Yes Labellingandstylingareconsistentthroughtheapplication.3.2.5ChangeonRequest–LevelAAA Yes Automaticupdatesorchangesincontextarenotmade.Guideline3.3–InputAssistance Yes 3.3.1ErrorIdentification–LevelA Yes Errorsareclearlyidentifiedusinganiconandarepresentedindescriptivetext.3.3.2LabelsorInstructions–LevelA Yes Ballotinstructionsareprovidedbeforeballotmarking.3.3.3ErrorSuggestion–LevelAA Yes Overvoteerrorsdescribewhytheerroroccurred,andhowtoresolvetheerror.3.3.4ErrorPrevention(Legal,Financial,Data)–LevelAA n/a 3.3.5Help–LevelAAA Yes Eachpageincludesinstructionsforthevoter.3.3.6ErrorPrevention(All)–LevelAAA Yes Usersarepresentedwithareviewpage.Theycanchangeanyselectionbeforeprinting.Principle4–Robust Guideline4.1–Compatible Yes 4.1.1Parsing–LevelA Yes ApplicationhasvalidHTMLincludinguniqueIDsandhierarchalstructure.4.1.2Name,Role,Value–LevelA Yes Allelementsusesemanticmarkup,ordefinearia-label,aria-labelledby,androle

attributes.

of26

AppendixB:BallotDataSpecificationSecureSelectloadsballotdatadefinitionfromaremotesourcedefinedbyaqueryparameter.TheballotdatasourcemustbeaJSONdocumentmeetingthefollowingspecification.ThisdatacanbecreatedmanuallyorbyusingaproductsuchasLiveBallot.TheJSONdatashouldthenbeuploadedtoaserverandmadepubliclyavailable(oratleastavailablefromtheSecureSelectserver).

ExamplepassingdataparametertoSecureSelect:

https://ss.liveballot.com?data=URL_TO_DATA

1.1.1 BaseDataStructureProperty Type Descriptionballot Ballot Ballotdatadefinition.ballotId string Optionalballotidtoincludewithbarcode.election Election Electiondefinition.precinct Precinct Precinctdefinition.

1.1.2 BallotProperty Type Descriptioncode string Ballotstylecodename string Ballotstylenameboxes []Box Arrayofboxesontheballot(default,header,text)

1.1.3 BoxProperty Type Descriptionid integer Uniqueidentifiertype string Typeofballotcontent.

AllowedValues:default,header,texttitles []Text Arrayoftitletext.

Usedindefaultandheaderboxes.text []Text Arrayoftextcontenttoshow.

Usedindefaultandtextboxes.text_after []Text Arrayoftexttoshowafteroptions.

Usedindefaultboxes.sequence integer Boxordernum_selections integer Numberofselectionsthatcanbemadeoptions []Option Arrayofballotoptions(candidates,yes,no,etc.)

1.1.4 OptionProperty Type Descriptionid integer titles []Text Arrayoftitletextfortheoption.type string Typeofoption.

Allowedvalues:default,writein,textsequence Integer Optionorder

1.1.5 TextProperty Type Descriptionvalue string Valuetodisplay.format string Typeoftexttodisplay.

Allowedvalues:style,text,htmlstyle string Styletouseiftypeissettostyle.

Allowedvalues:default,subtitle(forboxandoptiontitles)translations map[string]string Amapofkey/valuepairsthatrepresentlangCodeandtranslationvalues

of26

1.1.6 ElectionProperty Type Descriptiontitle Text Electiontitle.Displayedtovotersonfirstpage.

1.1.7 PrecinctProperty Type Descriptionid string PrecinctIDname string PrecinctName

of26

AppendixC:QRCodeSpecificationTheQRcodepresentedontheSecureSelectprintoutincludesJSONdatarepresentingthevoter’sballotselections.TheQRcodedoesnotincludeanyinformationaboutthevoter.TheQRcodecontainsheaderdatacontainingaversionnumber,ballotstyle,precinctidentifier,andauniqueballotid.Theuniqueballotidcannotberelatedtothevoterinanyway.It’sonlypurposeistoidentifydistinctballotsprintedfromSecureSelect.

TheselectionsintheQRcodearestoredasnumbersrelativetothebeginningoftheballotandcontestrespectively.Forexample,ifthevoterselectedthethirdcandidateofthefirstcontest,skippedthesecondcontest,andmarkedthesecondcandidateofthethirdcontestontheballot,theQRcodedatawouldbe1:3and3:2torepresentthoseselections.

ThefollowingdataspecifieswhatinformationisdefinedintheQRcodeandhowitisgenerated.

Line Key Value Notes1 v 1.2 QRCodeformatversion2 bs string Ballotstylecode–fromBallotDefinitionFile3 pid string Precinctidentifier–fromBallotDefinitionFile4 id string UniqueballotidentifiergeneratedbySecureSelect5+ Contestnumber Selectionnumber Contestnumberstartswith1forthefirstcontestontheballot.

Selectionnumberstartswith1forthefirstoptioninthecontest.Multipleselectionsarejoinedbyacomma(,).Awrite-inisrepresentedbytheoptionnumber,followedbyadash(-)followedbythewriteinvalueenclosedinquotes.Ifaquoteispartofthewrite-invalue,itmustbeescapedwithabackslash(\).

ExamplesofselectiondataintheQRcode

Value Notes1:2 Firstcontest,secondcandidatemarked.2:3,4 Secondcontest,candidates3and4marked5:1,2-“ThomasJefferson” Fifthcontest,firstcandidatemarked.Secondcandidatemarked(awritein)withthe

valueThomasJeffersonentered.6:3-“Jim\”Jimmy\”Smith” Sixthcontext,thirdcandidate(awritein)selectedwithJim“Jimmy”Smithentered.

AppendixD:SecureSelectTechnicalDetails

1. ArchitectureandCodebaseSecureSelectisdesignedtohaveaflexiblearchitecture.BelowistherecommendedarchitectureusingathirdpartyvendorforvoteridentificationandDemocracyLivetohostSecureSelectasSoftwareasaService(SAAS).

of26

1.1. SecureHostingDemocracyLiveutilizesaproven,cloudbasedplatformtosecurelyhostSecureSelect.Ourhostingprovider’scomputingenvironmentsarecontinuouslyaudited,withcertificationsfromaccreditationbodiesacrossgeographiesandverticals,includingISO27001,FedRAMP,DoDCSM,andPCIDSS.

Byoperatinginanaccreditedenvironment,DemocracyLivereducesthescopeandcostofauditsneeded,allowingustofocusonourareaofexpertise.Ourhostingprovidercontinuouslyundergoesassessmentsofitsunderlyinginfrastructure—includingthephysicalandenvironmentalsecurityofitshardwareanddatacenters—socustomerscantakeadvantageofthosecertificationsandsimplyinherentthosecontrols.

Inatraditionaldatacenter,commoncomplianceactivitiesareoftenmanual,periodicactivities.Theseactivitiesincludeverifyingassetconfigurationsandreportingonadministrativeactivities.Moreover,theresultingreportsareoutofdatebeforetheyareevenpublished.OperatinginanaccreditedenvironmentallowsDemocracyLivetotakeadvantageofembedded,automatedtoolsforvalidatingcompliance.Thesetoolsreducetheeffortneededtoperformaudits,sincethesetasksbecomeroutine,ongoing,andautomated.

1.1.1. PhysicalSecurityOurhostingprovider’sdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Thedatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.

Ourhostingprovideronlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployee.Allphysicalaccesstodatacentersbyemployeesisloggedandauditedroutinely.

1.1.2. NetworkSecurityDemocracyLiveutilizesseveralsecuritycapabilitiesandservicestoincreaseprivacyandcontrolnetworkaccess.Theseinclude:

• Built-infirewallsthatallowcreationofprivatenetworks,andcontrolnetworkaccesstoinstancesandsubnets• EncryptionintransitwithTLSacrossallservices• Connectivityoptionsthatenableprivate,ordedicated,connectionsfromDemocracyLiveofficesoron-premises

environments• DDoSmitigationtechnologiesaspartourauto-scalingstrategy

1.1.3. InventoryandConfigurationManagementDemocracyLiveserveradministratorsdeployandmonitorSecureSelectserversusingaseriesoftoolsincluding:

• Deploymenttoolstomanagethecreationanddecommissioningofresources

of26

• Inventoryandconfigurationmanagementtoolstoidentifyresourcesandthentrackandmanagechangestothoseresourcesovertime

• Templatedefinitionandmanagementtoolstocreatestandard,preconfigured,hardenedvirtualmachines• Containerizedenvironmentsbasedonsecureimagesensuringquickscalingandreproducibleenvironments

1.1.4. AccessControlDemocracyLiveserveradministratorsdefine,enforce,andmanageuseraccesspoliciesacrossservices.Theseinclude:

• Identityandaccessmanagementcapabilitiestodefineindividualuseraccountswithpermissionsacrossresources

• Multifactorauthenticationforprivilegedaccounts• Integration,andfederation,withcorporateactivedirectory

1.1.5. MonitoringandLoggingDemocracyLiveserveradministratorsutilizetoolstomonitorourserverenvironment.Theseinclude:

• DeepvisibilityintoAPIcalls,includingwho,what,when,andfromwherecallsweremade• Logaggregationandoptions,streamlininginvestigationsandcompliancereporting• Alertnotificationswhenspecificeventsoccurorthresholdsareexceeded

1.2. ScalableArchitectureUsingautomaticscaling,SecureSelectstaysonlineandresponsivetovotersevenduringtrafficspikesaroundcriticalelectiondates.SecureSelectisbuiltusingastatelessserverarchitecturemakingispossibletodynamicallyprovisionnewservernodeswithoutmanualinteractionfromaserveradministrator.CPUandmemoryutilizationonSecureSelectserversaremonitored24/7.IftheCPUormemoryusageofaserversurpassesathreshold,automaticscalinginvokesthefollowingsteps:

AnewSecureSelectserver(node)isprovisioned. Oncethenewnodereachesasteadystate(ithasstartedup),ahealthcheckisperformedonthenode

a. Ifthenodeishealthy,itisaddedtotheloadbalancer.b. Ifthenewnodeisunhealthy,itisdeprovisionedandtheprocessrepeatsatStep1.

Trafficisnowdistributedevenlyacrossallnodesincludingthenewnode.

ThisprocesswillrepeatuntilCPUandmemoryusageonallserversisatanacceptablelevel.

of26

1.3. FlexibleArchitectureSecureSelectcanbeutilizedinavarietyofdifferentconfigurationstomeettheneedsofanystateorcounty.ThefollowingdiagramshowsseveralpossibleconfigurationsincludingoptionsforcountyorstatehostingoftheSecureSelectapplication.

1.4. ApplicationReviewandCertificationSecureSelectiscomposedoftwomaincomponentswithacompletecodebaseunder2,500linesofcode.Thismakesafullcodebasereviewpossibleinjustamatterofhours.Theentireapplicationisjustunder20MB.

1.4.1. HTML5ApplicationTheHTML5applicationiswrittenusingtheAngularJSframeworkusingHTMLandTypeScript.Theentireapplicationhasbeenwritteninunder1,600linesofTypeScriptcodeandunder300linesofHTMLwithanaverageoflessthan100linesofcodeperfile.

of26

1.4.2. WebServerThewebserverisresponsibleforhostingtheHTML5application,alongwithdownloading,sanitizing,andpreparingballotdata.ThewebservercanberunonanyVirtualMachinewithnoserverrequirements.Thewebserverportisconfigurablesuchthatitcanruninparallelwithexistingwebservers(Apache,NGINX,etc).Thisprovidesadministratorswithcompleteflexibilityusingneworexistinginfrastructure.

ThewebservercodebaseiswritteninGo1.7andisunder250linesofcode.

2. SourceCodeVerificationAhashcodeisauniquecharacterstringcreatedbyaone-wayencryptionofanydata.SecureSelectprovidesaverificationpagewhichdisplaysahashcodegeneratedfromthetextofeveryfileandexecutableintheapplication.Thishashcodecanbestoredforcomparisonafterpre-electionverification.Toassurethatnochangeshavebeenmadetothecodebase,theverificationpagecanbeusedtocomparehashcodesatanytimetoverifythecodebasehasnotbeenchanged.

2.1. StoringtheSecureSelectHashCodeAfteraversionofSecureSelectisapproved,anyonecanaccesstheSecureSelectverificationpage(https://ss.liveballot.com/verify)toviewtheCurrentHash.TheCurrentHashisauniquehashcodegeneratedfromeveryfileinSecureSelect.Thiscodewillchangeifanylineofcodeintheapplicationchanges.TheCaliforniaSecretaryofStatecanrecordthiscodeforfuturereference.

2.2. HowtouseHashCodeVerificationAtanypointinthefuture,theSecureSelectVerificationpagecanbeaccessed.Simplyenterthehashcodesavedonrecordtoverifynochangeshavebeenmade.Ifanychangestothesourcecodehavebeenmade,theSecureSelecthashcodewillnotmatchthehashcodesavedafterapproval.Differenthashcodesareclearlydisplayedtotheadministratorverifyingthesystem.

of26

AppendixE:AcceptanceTestingTables1.0GeneralFunctionality Status1.1 Candidatescanbeselectedanddeselectedbyclickingonname. 1.2 Candidatescanbeselectedanddeselectedbyclickingonthecheckbox. 1.3 Over-votingisnotallowed. 1.3.1 Awarningispresentedwhenanover-voteisattempted. 1.4 Atextfieldappearswhenselectingawrite-in. 1.4.1 Acandidatenamecanbetypedintoawrite-infield. 1.4.2 Deselectingawrite-incheckboxclearsthecandidatenameentered. 1.5 SelectionsrepresentedontheReviewPagerepresentselectionsmadeontheBallotMarkingPage. 1.5.1 A“NoSelections”warningisshownforanycontestsmissingselections. 1.5.2 Under-votesareclearlyidentifiedontheReviewPage. 1.5.3 Write-incandidatesaredisplayedontheReviewPage. 1.6 Voterscanchangetheirselections. 1.7 TheprintedballotaccuratelydisplaysselectionsontheReviewPage. 1.7.1 Onlyselectionsmadearepresentedontheprintedballot(notallcandidates). 1.7.2 Write-insareshownontheprintedballot. 1.8 Afterendingtheusersessionandreturningtotheapplication,selectionsarenolongervisible.

2.0ScreenReaderAccessibility Status2.1 Allfunctionalityin1.0isaccessibleusingscreenreaderkeyboardcommands. 2.2 Verifytheon-screeninstructionsonpageonearenotreadbythescreenreader. 2.3 Over-votewarningsareclearlyreadbyscreenreaderwhenattemptingtoover-vote. 2.4 Screenreaderclearlyidentifiesselectedandunselectedcandidateswhennavigatingtheballot.

3.0KeyboardAccessibility Status3.1 Allfunctionalityin1.0isaccessibleusingonlythekeyboard. 3.2 Keyboardcontrolspresentedintheon-screeninstructionsoperateasexpected. 3.2.1 Theupanddownarrowkeysmovekeyboardfocusupanddown. 3.2.2 The+keyzoomstextupto200%oftheoriginalsize. 3.2.3 The–keyshrinkstextdowntotheoriginalsize. 3.2.4 Thespacebarcanbeusedtoactivateanitem. 3.3 Keyboardfocusisvisuallyidentifiedonscreen.

4.0AccurateBallotDisplay Status4.1 Conteststitles,subtitles,andtextdisplaycorrectly. 4.1.1 Contestorderiscorrect. 4.1.2 Contestshavethecorrectheader. 4.2 Candidatetitlesandsubtextdisplaycorrectly. 4.2.1 Candidatesdisplayinthecorrectorder. 4.3 Write-insdisplaycorrectly. 4.3.1 Thecorrectnumberofwrite-insdisplay.

5.0VoterPrivacy Status5.1 Nonetworkcommunicationismadewhileperformingallstepsin1.0 5.1.1 Nonetworkactivityoccurswhenmarkingaselection. 5.1.2 Nonetworkactivityoccurswhenprintingselections.

secure select use procedures and technical specification · 2019-06-27 · page 6 of 26 step 1:...

Documents