secure select use procedures and technical specification · 2019-06-27 · page 6 of 26 step 1:...
TRANSCRIPT
SecureSelectUseProceduresandTechnicalSpecificationVERSION2.0PREPAREDFORCALIFORNIASECRETARYOFSTATE
Page2of26
TableofContents
TableofContents..........................................................................................................................................2
SecureSelectUseProcedures........................................................................................................................3
1. Introduction...........................................................................................................................................31.1. TermsandDefinitions............................................................................................................................................41.2. Systemdescriptionandcomponents.....................................................................................................................4
2. BallotDefinition.....................................................................................................................................72.1. Paperandprintingspecifications...........................................................................................................................72.2. PrintedSelectionSpecification...............................................................................................................................72.3. PrintedBarcodeSpecification................................................................................................................................7
3. ElectionSet-upandDefinition................................................................................................................73.1. Programmingandconfigurationofelectionmanagementsystem/software........................................................73.2. Programmingandconfigurationofvoterecording/tabulationdevices.................................................................83.3. Systemdiagnostictestingprocedures....................................................................................................................83.4. Logicandaccuracytesting......................................................................................................................................9
4. SystemInstallationandConfiguration..................................................................................................104.1. Hardwarerequirementsandspecifications.........................................................................................................104.2. Hardwareandnetworkset-upandconfiguration................................................................................................104.3. Softwareinstallationandconfiguration...............................................................................................................104.4. AcceptanceTesting..............................................................................................................................................104.5. Softwareandfirmwareupgrades.........................................................................................................................13
5. PollingPlaceProcedures.......................................................................................................................13
6. Absentee/MailBallotProcedures(CentralTabulation).........................................................................13
7. OfficialCanvassandPost-ElectionProcedures......................................................................................137.1. Post-electionlogicandaccuracytesting..............................................................................................................137.2. Back-upandRetentionofelectionmaterial.........................................................................................................13
8. Security................................................................................................................................................148.1. Physicalsecurityofsystemandcomponents.......................................................................................................148.2. User-levelsecurity................................................................................................................................................148.3. Proceduresforverifying,checking,andinstallingessentialupdatesandchanges..............................................148.4. BallotAudittrail...................................................................................................................................................15
AppendixA:WCAG2.0Conformance..........................................................................................................16
Page3of26
AppendixB:BallotDataSpecification..........................................................................................................18
AppendixC:QRCodeSpecification..............................................................................................................20
AppendixD:SecureSelectTechnicalDetails................................................................................................21
1. ArchitectureandCodebase...................................................................................................................211.1. SecureHosting......................................................................................................................................................221.2. ScalableArchitecture............................................................................................................................................231.3. FlexibleArchitecture............................................................................................................................................241.4. ApplicationReviewandCertification...................................................................................................................24
2. SourceCodeVerification......................................................................................................................252.1. StoringtheSecureSelectHashCode....................................................................................................................252.2. HowtouseHashCodeVerification......................................................................................................................25
AppendixE:AcceptanceTestingTables.......................................................................................................26
SecureSelectUseProcedures
1. IntroductionAbsenteeballotingiscomposedoffourmaincomponents:1)Voterauthentication,2)Obtainingballotreturnmaterials,3)Markingballotselections,and4)Returningmarkedballottothelocalelectionsoffice.SecureSelectisacloudbasedapplicationfocusedsolelyonballotmarking.Separatingballotmarkingasamicroserviceintroducesflexibilitytocountiesandseveralbenefitstovoters.
SecureSelectwasdesignedfromthegrounduptomeetthehighestlevelsofaccessibility.ItsatisfiesallWCAG2.0guidelinesincludingscreenreadercompatibility,fullkeyboardaccess,andcolor,contrastandfontsizingrequirements(seeAppendixAfordetails).SecureSelectiscompatiblewithmacOSandWindowsscreenreadersincluding,butnotlimitedto,thefollowing:
OperatingSystem WebBrowser ScreenReaderWindows10 InternetExplorer11,Edge14 NarratorWindows10 Firefox NVDAmacOS10.12 Safari10.1 VoiceOver
Page4of26
PertheCaliforniaStateElectionscodeforballotmarking,SecureSelectdoesnotrequire,norallowinteractionwitharemoteserverduringtheballotmarkingprocess.OncetheSecureSelectapplicationisloadedfromthecloud,nofurtherconnectiontotheserver,orInternetisrequired.
1.1. TermsandDefinitionsBallotDefinitionFile–Afilecontainingalldataneededtodisplayaspecificballotstyle(headers,contest,measures,candidates,candidateorder,etc.).BallotDefinitionFilesarestoredonaremoteserverandaredownloadedandparsedbySecureSelecttoballotstylestovoters.
Box–Whenusedinthecontextofaballot,representsanycontentonaballotsuchascontests,measuresorpropositions(whicharetypicallyenclosedinabox).
Option–Whenusedinthecontextofaballot,representsanymarkablecontentonaballotsuchascandidates,measureresponses,orwrite-ins.
Microservice–Anapplicationorservicewithanisolatedsetoffunctionalitymeanttobeusedaspartofalargerapplicationorworkflow.
URL–Alocationontheinternetaccessiblebytypingitintoawebbrowser
QRCode–Amachine-readablecodeconsistingofanarrayofblackandwhitesquares,typicallyusedforstoringinformationforreadingbythecameraonasmartphone.
1.2. SystemdescriptionandcomponentsSecureSelectiscomposedofthreemaincomponents.ABallotDefinitionFileiscreatedandpassedintoSecureSelect.SecureSelectparsestheBallotDefinitionFileandpresentsaballotstyletothevoter.ThevotercanoptionallyuseaScreenReadertonavigatethroughtheballot.Aftermarkingtheirballotandreviewingtheirselections,thevotercanprinttheirselections.
1.2.1. BallotDefinitionFilesBallotDefinitionFilesmustmeettheBallotDataSpecificationdefinedinAppendixEandbehostedatapubliclyaccessibleURL.OncetheBallotDefinitionFilehasbeenuploaded,itcanbepassedintoSecureSelectusingthefollowingformat.
ExampleURL:https://ss.liveballot.com?data=DEFINITION_URL&lang=LANG_CODE
Page5of26
• data–Anabsoluteurl(includinghttps://)toaBallotDefinitionFile• lang–Alanguagecodespecifyingwhichlanguagetodisplaytothevoter.Allowedlanguagecodesareen
(English),es(Spanish),zh-hans(SimplifiedChinese),andzh-hant(TraditionalChinese).
1.2.2. BallotMarking(theSecureSelectApplication)SecureSelectisanHTML5SinglePageApplication(SPA)thatrunsinsidewebbrowser.Duringpageload,SecureSelectdownloadsandstoreseverythingitneedstorun.Afterpageload,theapplicationlogiciscompletelyisolatedtothebrowserwindow.Thevoteristakenthroughthefollowingpageswithoutanyservercommunication:
Instructions-ClearinstructionsarepresentedtothevoterdetailinghowtonavigateSecureSelectandwhatstepstheywillbetakenthrough.ThevoterclicksContinuetoprogresstotheBallotMarkingscreen.
Exercise:UnderstandhowtopassaballotdefinitionfileintoSecureSelect
Step1:SecureSelecthasabuiltindatafilethatcanbeusedtohelpunderstandtheprocess.Thisfileispubliclyaccessiblebyenteringhttps://ss.liveballot.com/app/assets/multilingual.jsoninawebbrowser.EnterthisURLintoabrowsertoviewthedatafile.
Step2:PassthisURLintoSecureSelectusingthedataparameter.UsetheexampleURLprovidedaboveandreplaceDEFINITION_URLwith“https://ss.liveballot.com/app/assets/multilingual.json”.ReplaceLANG_CODEwith“en”touseEnglish.ThefinalURLwilllooklikethis:https://ss.liveballot.com?data=https://ss.liveballot.com/app/assets/multilingual.json&lang=en
Step3:Finally,replace“en”with“es”inurlabovetoshowaSpanishballot.ThefinalURLwilllooklikethis:https://ss.liveballot.com?data=https://ss.liveballot.com/app/assets/multilingual.json&lang=es
Page6of26
Step1:BallotMarking–Thevotercanmarktheirballotusingtheirkeyboard,mouse,oranyassistivetechnology.Votersarepreventedfromover-votingcontestswithaclearwarning.
Ifawrite-incandidateisselected,atextfieldisprovidedtoenteracandidatename.
Aftermarkingselections,thevoterclicksContinuetoprogresstotheSelectionReviewscreen.
Step2:SelectionReview–Thevoterispresentedwithasummaryoftheirselections.Theyarenotifiediftheyaremissinganyselectionsforanycontests.ClickingChangenexttoanycontestwilltakethevoterdirectlytothatcontestontheBallotMarkingscreen.Afterreviewingselections,thevoterclicksContinuetoprogresstothePrintSelectionsscreen.
Page7of26
Step3:BallotPrinting–ThevoterprintstheirballotwhichcontainsaQRcoderepresentingtheirselections.Aftertheselectionshavebeenprinted,thevoterclicksEndSessiontoprogresstotheCompletescreen.
Complete–Thevoterselectionsareclearedfrommemoryandthevoterispresentedwithathankyoumessage.
2. BallotDefinition
2.1. PaperandprintingspecificationsTheprintedoutputfromSecureSelectisdesignedtoprintfromatypicalhomecomputeronUSLetter(8.5x11)paper.
2.2. PrintedSelectionSpecificationTheprintedoutputfromSecureSelectincludestheoptionsmarkedbythevoterforeveryboxontheballot.Theprintedoutputisintendedtobearepresentationofthevoter'sselections,notoftheentireballot.Ifthevoterdidnotmarkanyselectionsforabox,thetext"NoSelections"isincludedtoclearlyidentifywherenoselectionshavebeenmade.
2.3. PrintedBarcodeSpecificationTheprintedoutputfromSecureSelectincludesaQRCoderepresentingthevoter'sselections.TheQRCodedoesnotincludeanyvoterinformationandcanbescannedusinganymodernsmartphoneor2dbarcodereader.TheQRCodeisincludedtoallowforintegrationwith3rdpartysolutionssuchasautoduplicationsoftware.TheQRCodedataspecificationcanbefoundinAppendixC.
3. ElectionSet-upandDefinition
3.1. Programmingandconfigurationofelectionmanagementsystem/softwareSecureSelectisamicroservicefocusedonaccessibleballotmarking.ThereisnoelectioncreationorballotconfigurationinSecureSelect.TheseprocesseshappenoutsideofSecureSelectinanElectionManagementSystem(EMS),athirdpartyballotbuildingsoftware,Excel,etc.Onceelectiondatahasbeenprepareditshouldbeexportedorconvertedto
Page8of26
JSONfilesconformingtotheBallotDataSpecificationdefinedinAppendixB.ThefollowinglistoutlinesthreepopularoptionsforgeneratingBallotDefinitionFiles:
1) Exportdatafromexistingsoftware–Ifyourcountyhaselectiondataalreadyloadedintoanothersoftware,askyourvendoriftheycanexportthedataorgenerateareporttomeettheBallotDataSpecification.Forexample,currentandfuturesolutionsprovidedbyDemocracyLiveincludedataexportsthatmeetstheBallotDataSpecification.
2) ProvideExcelorCSVfilesforconversion–ItiscommonforcountiestouseExcelfilestoorganizeelectiondata
beforeanelection.Thesefilestypicallyincludeastructuredwayofassociatingcontests,candidates,ballotstyles,precincts,andevenrotation.Adeveloper(eitherinternalIT,acontractdeveloper,oravendor)canwriteascripttoconvertExcel(orCSV)filesintoBallotDefinitionFiles.Itisimportantforthecountyandthedevelopertoagreeonatemplatetoensureastreamlinedprocessinfutureelections.DemocracyLivetechnicalsupportrepresentativescanworkwithcountiestocreateacustomscriptforballotdatafilegeneration.DemocracyLivecanalsoworkwithinternalITstafftohelpsetupascripttobeusedinternally.
3) Manuallycreateballotstyles–ThisapproachdoesrequireknowledgeofhowtowriteJSONdata.Thismethodis
greatforsmallelectionswithlimitednumberofballotstylesandcontent.ThebestwaytousethismethodistocopyanexistingBallotDefinitionFileandthenmodifythecontent.ThereareseveralonlineresourcestohelpwriteandvalidateJSONdatasuchas:https://jsonformatter.org
3.2. Programmingandconfigurationofvoterecording/tabulationdevicesSecureSelectisonlyaballotmarkingsolutionanddoesnotrecordortabulatevoterdata.
3.3. SystemdiagnostictestingproceduresSecureSelectmustbeonlineatalltimesforvoterstomarkandprinttheirballotselections.SecureSelectincludesapingURLwhichcanbeaccessedatanytimetoverifythesystemisonline.AccessingtheURLwillreturna200responseheaderandtextiftheapplicationisavailableandworking.
PingURL:https://ss.liveballot.com/ping
TheSecureSelectapplicationishostedontwoormoreparallelserversatalltimes.DemocracyLivemonitorsthisendpointoneachserver24/7todetectanyserviceinterruptions.Ifaserverdoesnotreturna200response,itisflagged
Page9of26
asunhealthyandisdecommissioned.AnewSecureSelectserveriscreatedandaddedtotheloadbalancerensuringthereisalwaystwohealthyserversavailable.AdditionalinformationregardingSecureSelect’sserverconfigurationisavailableinAppendixD.
3.4. LogicandaccuracytestingBallotDefinitionFileswillbegeneratedforeachballotstyleinanelection.ElectionsofficialsareencouragedtotesteachBallotDefinitionFiletoverifySecureSelectdisplaysballotcontentcorrectly.
3.4.1. Pre-conditionsforperformanceoftestsToconducttestinginSecureSelect,thefollowingstepsmustbefollowed:
1. StoreBallotDefinitionFilesonserverwithapubliclyaccessibleURL.2. CreateanExceldocumentwiththreecolumns:Name,URL,Status.IfyouworkwithavendortogenerateBallot
DefinitionFiles,requestafileinthefollowingformat:
Name URL StatusStyle1–En https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=en Style1–Es https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=es Style2–En https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=en Style2–Es https://ss.liveballot.com?data=https://definitionurl.com/style1.json&lang=es
URLFormat:https://ss.liveballot.com?data=DEFINITION_URL&lang=LANG_CODE
3.4.2. AccuracyTestproceduresForeachURLdefinedinthefilegeneratedin3.4.1,performthefollowingtasks:
1. VisittheURLinawebbrowser.2. Verifytheballotcontentiscorrectlydisplayed.3. Iftheballotstyleiscorrect,type“Approved”intheStatuscolumn.4. Iftheballotstyleisincorrect,enterareasonfortheerror.IfyouareworkingwithavendortogenerateBallot
DefinitionFiles,thenotesprovidedinthestatuscolumnwillhelpwitherrorcorrection.
3.4.3. LogicTestproceduresLoadaBallotDefinitionFilefromthefilegeneratedin3.4.1andtestthefollowing:
1. Over-voteProtection–Ensurevotersarenotabletoover-voteforacontest.2. CorrectReviewPage–Confirmselectionsandwrite-insarecorrectlyshownonthereviewpage.3. NoSelectionWarning–Confirmawarningisshownonthereviewpageifnoselectionsaremade.4. UnderVoteProtection–Confirmanunder-votewarningisshownifnotallselectionsaremadeforacontest
withmorethanoneselectionavailable.5. PrintSelections–Confirmselectionsandwrite-insarecorrectlyprinted.6. QRCode–ScantheQRcodewithasmartphoneandconfirmtheselectiondatarepresentstheprintedoutput.
3.4.4. RetentionofTestmaterialsThepaperballotsgeneratedfromthistestingshouldbesavedunderthecounty'snormalelectionsdocumentsavingprotocolsandrequirements.
Page10of26
4. SystemInstallationandConfiguration
4.1. HardwarerequirementsandspecificationsSecureSelectisacloudbasedsolution.Thereisnosoftwareinstallationorconfigurationrequired.TherearenohardwarerequirementstouseSecureSelectoutsideofwhatisrequiredtorunaninternetbrowser.
4.2. Hardwareandnetworkset-upandconfigurationSecureSelectisdeliveredtovotersovertheinternetusingSSLencryption.UsersmusthaveaninternetconnectionandawebbrowsercapableofaccessingawebsiteusingSSLencryption.
4.3. SoftwareinstallationandconfigurationSecureSelectisacloudbasedsolution.Thereisnosoftwareinstallationrequired.VoterscanusethedefaultwebbrowserthatcomeswiththeircomputertoaccessSecureSelect.
4.3.1. CustomInstallationsSecureSelectcanbeinstalledonanyLinux,FreeBSD,orWindowsservers.DemocracyLivetechnicalsupportrepresentativescanassistITadministratorswithcustominstallationsuponrequest.
4.4. AcceptanceTestingSecureSelecthasanarrowscopeoffunctionalitylimitedtotheaccessibledisplay,marking,andprintingofballotselections.Thepurposeofthisdesignistoprovideamodularapplicationcapableofintegratingwithnewandexistingsoftware.Assuch,therearefourkeypointsoftestingrequiredforSecureSelect:
1. GeneralFunctionality–Doestheapplicationallowvoterstoview,mark,andprinttheirselectionsaccurately?2. ScreenReaderAccessibility–Istheapplicationfullyfunctionalbyusingascreenreader?3. KeyboardAccessibility–Istheapplicationfullyfunctionalbyusingonlykeyboardcontrols?4. VoterPrivacy–Doestheapplicationworkwithouttransmittinganyvoterdatatoaremoteserver?
TheAcceptanceTestingTablesinAppendixEcanbeprintedtokeeptrackoftestitemsandtheirstatus.
4.4.1. TestingGeneralFunctionalityThefollowingstepscanbetakentotestthegeneralfunctionalityofSecureSelect.
4.4.1.1. Setup1. OpenaSecureSelectURLfromthefilegeneratedin3.4.1.Youmayalsouse
https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.
4.4.1.2. TestItems1. Readtheon-screeninstructionsandclickContinue.2. Readtheinstructionsatthetopofthepage.3. Clickoncandidatestomarkaselection.Clickonacandidateagaintodeselect.4. Clickonthecheckboxnexttoacandidatetoverifyittogglesselectionsaswell.5. Trytoover-voteforacontest.Verifyanovervotewarningisdisplayed.
Page11of26
6. Verifyatextfieldispresentedtoenteracandidatenamewhencheckingawrite-incandidate.Fillinawrite-incandidate.
7. Leaveatleastonecontestwithoutanyselections(tobeusedlater).8. ClickContinue9. ConfirmtheselectionsontheReviewPageareaccuratelydisplayed10. Clickchangenexttoaselection.VerifyittakesyoutothespecificcontestontheBallotMarkingPage.11. Changetheselection.VerifythereisashortcutlinktogobacktotheReviewPage.12. GobacktotheReviewPageandconfirmchangeshavebeenmade.13. Confirmwrite-invaluesareaccuratelypresentedontheReviewPage.14. ClickContinuetocontinuetothePrintSelectionspage.15. ClickthePrintSelectionbutton.Confirmaprintdialogistriggered.16. Printtheselectionsandconfirmtheyareaccuratelyprinted.17. GobacktoSecureSelectandclickEndSession.18. ReturntothetestingURL,clickcontinue,andverifyyourselectionsarenolongervisible.
4.4.2. ScreenReaderAccessibilityForScreenReadertesting,verifyallTestItemsunder4.4.1TestingGeneralFunctionalityareaccessibleusingscreenreaderspecifickeycommands(thesearedifferentthantheinstructionsshownontheinstructionspage).
4.4.2.1. Setup1. OpenaSecureSelectURLfromthefilegeneratedin3.4.1.Youmayalsouse
https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.2. Turnonthescreenreaderusingthecommandsbelow.Whenthescreenreaderisactivated,itisimportantto
focusonlyonwhatyouhearfromthescreenreader.Itcanbehelpfultocloseyoureyeswhiletestingtoavoidbeingdistractedbythescreenreader’sfocuselementmovingonthepage.
3. Thewebbrowsershouldhavefocuswhileusingthescreenreader.Ifthefocusischangedoutsideofthewebbrowser,usethemousetoclickbackintoSecureSelect.RefreshSecureSelecttoallowthescreenreadertoreinterprettheapplication.
4. Usethescreenreader’sspecifickeyboardcommands(notthekeyboardcommandsdisplayedonscreenforsightedvoters)tonavigatetheapplication
a. macOS–VoiceOveri. PressCommand-F5tostartVoiceOverii. PressControl-Option-RightArrowandControl-Option-LeftArrowtonavigatebetweencontentiii. PresControl-Option-Spacebartoactivateanoption
b. Windows–Narratori. PressWindowsKey+Entertoopenwindowsnarratorii. PresstheCapsLockKey+Spacetoturnonscanmode.Scanmodeisaneasywaytonavigate
throughapage.UseItomovebetweenitems,Htomovebetweenheaders,andpresstheSpacebartoactivateanitem.HolddownShift+Iand/orShift+Htoreversethedirectionofthepreviouscommands.
iii. Narratorwillexitscanmodeiftheapplicationchanges.Ifthescreenreaderbeginsreadingtheletterofeachkeywhenpressed,pressCapsLock+Spaceagaintore-enterscanmode.
Page12of26
iv. Whenenteringawrite-in,NarratorwillaskyoutopressSpacetoentereditmode.Whenyouaredoneenteringtext,youmustpressCapsLock+Spaceagaintogobacktoscanmodetocontinue.
v. AdvancedUsage:HoldingdowntheCapsLockKey,usetheUpandDownarrowkeystochangethereadingmode.Inaspecificreadingmode,holdtheCapsLockkeyandpresstheLeftandRightarrowstonavigate.DifferentreadingmodesaresuitablefordifferentscenariosandcanbeusedinconjunctionwithScanmode.FormoreinformationaboutreadingusingNarrator,visitthishelparticle:https://support.microsoft.com/en-us/help/22809.
4.4.2.2. TestItems1. Verifytheon-screeninstructionsonpageonearenotreadbythescreenreader.2. ContinuetoBallotMarking3. Verifyyoucanmarkselectionsusingscreenreader’sspecifickeyboardcommandsandunmarkselections4. Verifyovervotewarningsarereadwhenattemptingtoovervote5. Verifyyoucanwriteincandidates6. Verifyselectionsareclearlyreadwhennavigatingupanddownthepage
4.4.3. KeyboardAccessibilityAlargecomponentoftheWCAG2.0accessibilityguidelinesincludeskeyboardcontrols.VerifyallTestItemsunder4.4.1TestingGeneralFunctionalityareaccessibleusingonlyyourkeyboard.
4.4.3.1. Setup1. OpenaSecureSelectURLfromthefilegeneratedin3.4.1.Youmayalsouse
https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.2. Disconnectyourmouseorplaceoutofreachtoensurethemouseisnotusedforanyfunctionalityduring
testing.
4.4.3.2. TestItems1. Verifythekeyboardcontrolspresentedintheon-screeninstructionsoperateasexpected.Specifically,testthe
up,down,left,rightarrowkeys,thespacebar,andthe+and-keys.2. Verifythetextcanbezoomedto200%oftheoriginalsize3. Verifykeyboardfocusisclearlypresentedwhenmovingaroundthescreen(avisualindicationshouldshowyou
whereyouareatalltimes).
4.4.4. VoterPrivacyVoterprivacyisprotectedinSecureSelectbyeliminatingallnetworkcommunicationwithremoteserversandbyclearingvoterselectionsattheendoftheirsession.OnceSecureSelecthasloaded,allactionsthevotertakeshappenontheirlocalmachine.
4.4.4.1. Setup1. OpenaSecureSelectURLfromthefilegeneratedin3.4.1.Youmayalsouse
https://ss.liveballot.com?data=demotoloadademonstrationelectionfortestingpurposes.2. Usedevelopertoolstoopenthenetworkinspectorinyourbrowser.Thenetworkinspectorwillshowyouall
communicationsenttolocalorremoteserversinrealtime.a. InChrome:OpenView>Developer>DeveloperTools.ThenclickontheNetworktab
Page13of26
b. InInternetExplorerandEdge:OpenDeveloperToolsandclickontheNetworkTab
3. Ifthereisanynetworkactivity,clicktheclearbuttontoclearitout4. (Optional)Disconnectfromtheinternet
4.4.4.2. TestItems1. WiththeNetworktabopenunderDeveloperTools,completeallitemsinsection4.4.1TestingGeneral
Functionalityabove.Aftereachaction(selectingordeselectingacandidate,enteringawritein,navigatingbetweenpages,andprintingyourselections)verifynonetworkactivityisshown.
4.5. SoftwareandfirmwareupgradesDemocracyLivemaintainsapplicationserverswithregularsecurityandsoftwareupdates.OnlyapprovedupdatestoSecureSelectwillbedeployedduringanapprovedupdatewindow.TheCaliforniaSecretaryofStatecanconfirmnounapprovedsoftwareupdateshavebeendeployedbyverifyingtheapplicationsourcecodehash(seeAppendixDfordetails).
5. PollingPlaceProceduresSecureSelectisnotintendedforpollingplaceuse.
6. Absentee/MailBallotProcedures(CentralTabulation)TheselectionsmadebythevoterusingSecureSelectareprintedandsubmittedbacktotheCountypertheStateandCountyrequirements.TheCountywillthenduplicateortranscribethevoter'sintentontotabulatableballots,pertheCountiesstandardduplicationprocedures.
7. OfficialCanvassandPost-ElectionProcedures
7.1. Post-electionlogicandaccuracytestingItisrecommendedtheCountyconductapost-electiontestofSecureSelect,showingballotselectionswereprintedasintended.CountydoesthisbyprintingatestsetofballotsviaSecureSelect.
7.2. Back-upandRetentionofelectionmaterialBallotsreturnedfromSecureSelectusersshouldberetainedpercountydocumentretentionrequirements.
Page14of26
8. Security
8.1. PhysicalsecurityofsystemandcomponentsDemocracyLiveutilizesaproven,cloudbasedplatformtosecurelyhostSecureSelect.Ourhostingprovider’sdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Thedatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
Ourhostingprovideronlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployee.Allphysicalaccesstodatacentersbyemployeesisloggedandauditedroutinely.
Formoreinformationonhostingsecurity,pleaserefertoAppendixD.
8.2. User-levelsecurityDemocracyLiveemploysmultiplelevelsofusersecuritythroughouttheSecureSelectdevelopmentlifecycle.AccesstotheSecureSelecthostingenvironmentisrestrictedtoapprovedserveradministrators.Serveradministratorsmustusetwo-factorauthenticationtoaccessandmanagetheserverenvironments.Additionally,accesscontrollists(ACL)preventanyconnectionstoSecureSelectserverswithoutpriorapproval.
TheSecureSelectcodebaseisstoredinasecurecoderepository.AccessislimitedtodevelopersandrequiresanSSHconnectionviaapprovedSSHkeys.Allcodechangesappliedtotherepositoryareauditableandincludethedeveloper,changesmade,andareasonforthechanges.
8.3. Proceduresforverifying,checking,andinstallingessentialupdatesandchangesSecureSelectishostedinasecure,cloudbasedserverenvironment.SecureSelectserversareinstalledonclusterednodescapableofscalingtomeethigherloadsduetospikesinnetworktraffic.Criticalsecuritypatchesareappliedimmediatelybyimplementingautomaticupdatesforcriticalsecuritypatches.Minorupdatesareperformedduringlowtraffictimesoutsideofactiveelections.Serveradministratorsperformupdateswithzerodowntimebyusingthefollowingupdateworkflow:
1. TheserveradministratorprovisionsanewnoderunningaSecureSelectserver.2. Allupdatesandpatchesareappliedtothenewnode.3. ThenewnodeistestedtoverifySecureSelectisrunningcorrectly.4. Thenewnodeisthenaddedtotheloadbalancer.UsertrafficisnowdirectedtothenewSecureSelectnode.5. Afterthenewnodeisaddedtotheloadbalancer,anexistingnode(needingupdates)isremovedfromtheload
balancerandisdecommissioned.6. Thisprocessisrepeateduntilallnodesinthenodeclusterarerunningupdatedsoftware.
Page15of26
8.4. BallotAudittrailCountyadministratorshouldensurethenumberofballotsreturned,matchthenumberofballotsduplicatedandsubmittedfortabulation.
Page16of26
AppendixA:WCAG2.0ConformanceGuideline Pass TechniquePrinciple1–Perceivable AAA Guideline1.1–TextAlternatives 1.1.1Non-textContent–LevelA Yes Limiteduseofgraphiccontent.Textalternativesprovidedforgraphicsandiconswhen
necessary.Guideline1.2–Time-basedMedia n/a 1.2.1Audio-onlyandVideo-only(Prerecorded)–LevelA n/a 1.2.2Captions(Prerecorded)–LevelA n/a 1.2.3AudioDescriptionorMediaAlternative(Prerecorded)–LevelA n/a 1.2.4Captions(Live)–LevelAA n/a 1.2.5AudioDescription(Prerecorded)–LevelAA n/a 1.2.6SignLanguage(Prerecorded)–LevelAAA n/a 1.2.7ExtendedAudioDescription(Prerecorded)–LevelAAA n/a 1.2.8MediaAlternative(Prerecorded)–LevelAAA n/a 1.2.9Audio-only(Live)–LevelAAA n/a Guideline1.3–Adaptable Yes 1.3.1InfoandRelationships–LevelA Yes Useoflandmarks,roles,labels,headings,semanticmarkup,andstructuredHTML.Useof
CSStocontrolvisualdisplay1.3.2MeaningfulSequence–LevelA Yes Contentorderedfromtoptobottom.DOMordermatchesvisualorder.1.3.3SensoryCharacteristics–LevelA Yes Warningiconsareaccompaniedbywarningtext.Guideline1.4–Distinguishable Yes 1.4.1UseofColor–LevelA Yes Warningtextisaccompaniedbyagraphicicon,boldtypeface,andthewordwarning.
CSSisusedtochangevisualrepresentationofitemswithfocus.1.4.2AudioControl–LevelA n/a 1.4.3Contrast(Minimum)–LevelAA Yes Alltextandbackgroundtextmeeta4.5:1contrastratio.Warningtextisalsoboldand
16ptforreadability.1.4.4Resizetext–LevelAA Yes Textcanberesizedto200%usingthe+and-keys1.4.5ImagesofText–LevelAA n/a 1.4.6Contrast(Enhanced)–LevelAAA Yes Allregulartextisa7:1contrast.Alllargetextisatleasta4.5:1contrast.1.4.7LoworNoBackgroundAudio–LevelAAA Yes Nobackgroundaudioused.1.4.8VisualPresentation–LevelAAA Yes HeadersspecifytextandbackgroundcolorsinCSS.Bordersareusedtoseparate
content.Maintextdoesnotusetextorbackgroundcolorattributes.1.4.9ImagesofText(NoException)–LevelAAA Yes Noimagesoftextareused.Principle2–Operable Guideline2.1–KeyboardAccessible Yes 2.1.1Keyboard–LevelA Yes Allelementsandfunctionalityareaccessibleviakeyboardusingtabandarrowkeys.2.1.2NoKeyboardTrap–LevelA Yes Noelementstrapkeyboardfocus.2.1.3Keyboard(NoException)–LevelAAA Yes Allelementsandfunctionalityareaccessibleviakeyboardusingtabandarrowkeys.Guideline2.2–EnoughTime Yes 2.2.1TimingAdjustable–LevelA Yes Notimelimitsareimposedonusers.2.2.2Pause,Stop,Hide–LevelA Yes Nomoving,blinking,scrolling,orautoupdatinginformation.2.2.3NoTiming–LevelAAA Yes Notimelimitsareimposedonusers.2.2.4Interruptions–LevelAAA Yes Nointerruptionsarepresentedtousers.2.2.5Re-authenticating–LevelAAA Yes Usersdonothaveexpiringsessions.Guideline2.3–Seizures Yes 2.3.1ThreeFlashesorBelowThreshold–LevelA Yes Noflashing2.3.2ThreeFlashes–LevelAAA Yes NoflashingGuideline2.4–Navigable Yes 2.4.1BypassBlocks–LevelA Yes Usingheadings,landmarks,andsemanticHTML.Alsodonotuserepeatedblocks.
Page17of26
2.4.2PageTitled–LevelA Yes AllpageshaveanH1titletag.2.4.3FocusOrder–LevelA Yes Yes,allitemsarefocusableusingtaborarrowkeys.2.4.4LinkPurpose(InContext)–LevelA Yes Alllinksusetextthatdescribeswhatthelinkdoes.2.4.5MultipleWays–LevelAA Yes Theapplicationisastepbystepprocesswithforwardandbackwardnavigation.2.4.6HeadingsandLabels–LevelAA Yes Structuredheadingsareusedoneverypage.Allinputelementsareproperlylabeled.2.4.7FocusVisible–LevelAA Yes Aclearfocusindicatorhighlightsthefocusofallactiveelements.2.4.8Location–LevelAAA Yes Pagestepsareclearlyidentifiedusingxofyformat.2.4.9LinkPurpose(LinkOnly)–LevelAAA Yes Alllinksusetextthatdescribeswhatthelinkdoes.2.4.10SectionHeadings–LevelAAA Yes Allpagecontentisseparatedbyhierarchaluseofheadings.Principle3–Understandable Guideline3.1–Readable Yes 3.1.1LanguageofPage–LevelA Yes Langattributeisappliedtohtmlelement3.1.2LanguageofParts–LevelAA Yes Fullpagecontentistranslatedincludingballotcontent.3.1.3UnusualWords–LevelAAA Yes Simple,commonlanguageisusedthroughouttheapplication.3.1.4Abbreviations–LevelAAA Yes Noabbreviationsareused.3.1.5ReadingLevel–LevelAAA Yes Simple,commonlanguageisusedthroughouttheapplication.3.1.6Pronunciation–LevelAAA Yes Simple,commonlanguageisusedthroughouttheapplication.Guideline3.2–Predictable Yes 3.2.1OnFocus–LevelA Yes Focusisshown,butdoesnotchangecontextorcontent.3.2.2OnInput–LevelA Yes Changinganyinputvaluedoesnotchangefocusorcontext.3.2.3ConsistentNavigation–LevelAA Yes Navigationisthesameoneverypage,inthesameplace,usinganavigationrole.3.2.4ConsistentIdentification–LevelAA Yes Labellingandstylingareconsistentthroughtheapplication.3.2.5ChangeonRequest–LevelAAA Yes Automaticupdatesorchangesincontextarenotmade.Guideline3.3–InputAssistance Yes 3.3.1ErrorIdentification–LevelA Yes Errorsareclearlyidentifiedusinganiconandarepresentedindescriptivetext.3.3.2LabelsorInstructions–LevelA Yes Ballotinstructionsareprovidedbeforeballotmarking.3.3.3ErrorSuggestion–LevelAA Yes Overvoteerrorsdescribewhytheerroroccurred,andhowtoresolvetheerror.3.3.4ErrorPrevention(Legal,Financial,Data)–LevelAA n/a 3.3.5Help–LevelAAA Yes Eachpageincludesinstructionsforthevoter.3.3.6ErrorPrevention(All)–LevelAAA Yes Usersarepresentedwithareviewpage.Theycanchangeanyselectionbeforeprinting.Principle4–Robust Guideline4.1–Compatible Yes 4.1.1Parsing–LevelA Yes ApplicationhasvalidHTMLincludinguniqueIDsandhierarchalstructure.4.1.2Name,Role,Value–LevelA Yes Allelementsusesemanticmarkup,ordefinearia-label,aria-labelledby,androle
attributes.
Page18of26
AppendixB:BallotDataSpecificationSecureSelectloadsballotdatadefinitionfromaremotesourcedefinedbyaqueryparameter.TheballotdatasourcemustbeaJSONdocumentmeetingthefollowingspecification.ThisdatacanbecreatedmanuallyorbyusingaproductsuchasLiveBallot.TheJSONdatashouldthenbeuploadedtoaserverandmadepubliclyavailable(oratleastavailablefromtheSecureSelectserver).
ExamplepassingdataparametertoSecureSelect:
https://ss.liveballot.com?data=URL_TO_DATA
1.1.1 BaseDataStructureProperty Type Descriptionballot Ballot Ballotdatadefinition.ballotId string Optionalballotidtoincludewithbarcode.election Election Electiondefinition.precinct Precinct Precinctdefinition.
1.1.2 BallotProperty Type Descriptioncode string Ballotstylecodename string Ballotstylenameboxes []Box Arrayofboxesontheballot(default,header,text)
1.1.3 BoxProperty Type Descriptionid integer Uniqueidentifiertype string Typeofballotcontent.
AllowedValues:default,header,texttitles []Text Arrayoftitletext.
Usedindefaultandheaderboxes.text []Text Arrayoftextcontenttoshow.
Usedindefaultandtextboxes.text_after []Text Arrayoftexttoshowafteroptions.
Usedindefaultboxes.sequence integer Boxordernum_selections integer Numberofselectionsthatcanbemadeoptions []Option Arrayofballotoptions(candidates,yes,no,etc.)
1.1.4 OptionProperty Type Descriptionid integer titles []Text Arrayoftitletextfortheoption.type string Typeofoption.
Allowedvalues:default,writein,textsequence Integer Optionorder
1.1.5 TextProperty Type Descriptionvalue string Valuetodisplay.format string Typeoftexttodisplay.
Allowedvalues:style,text,htmlstyle string Styletouseiftypeissettostyle.
Allowedvalues:default,subtitle(forboxandoptiontitles)translations map[string]string Amapofkey/valuepairsthatrepresentlangCodeandtranslationvalues
Page19of26
1.1.6 ElectionProperty Type Descriptiontitle Text Electiontitle.Displayedtovotersonfirstpage.
1.1.7 PrecinctProperty Type Descriptionid string PrecinctIDname string PrecinctName
Page20of26
AppendixC:QRCodeSpecificationTheQRcodepresentedontheSecureSelectprintoutincludesJSONdatarepresentingthevoter’sballotselections.TheQRcodedoesnotincludeanyinformationaboutthevoter.TheQRcodecontainsheaderdatacontainingaversionnumber,ballotstyle,precinctidentifier,andauniqueballotid.Theuniqueballotidcannotberelatedtothevoterinanyway.It’sonlypurposeistoidentifydistinctballotsprintedfromSecureSelect.
TheselectionsintheQRcodearestoredasnumbersrelativetothebeginningoftheballotandcontestrespectively.Forexample,ifthevoterselectedthethirdcandidateofthefirstcontest,skippedthesecondcontest,andmarkedthesecondcandidateofthethirdcontestontheballot,theQRcodedatawouldbe1:3and3:2torepresentthoseselections.
ThefollowingdataspecifieswhatinformationisdefinedintheQRcodeandhowitisgenerated.
Line Key Value Notes1 v 1.2 QRCodeformatversion2 bs string Ballotstylecode–fromBallotDefinitionFile3 pid string Precinctidentifier–fromBallotDefinitionFile4 id string UniqueballotidentifiergeneratedbySecureSelect5+ Contestnumber Selectionnumber Contestnumberstartswith1forthefirstcontestontheballot.
Selectionnumberstartswith1forthefirstoptioninthecontest.Multipleselectionsarejoinedbyacomma(,).Awrite-inisrepresentedbytheoptionnumber,followedbyadash(-)followedbythewriteinvalueenclosedinquotes.Ifaquoteispartofthewrite-invalue,itmustbeescapedwithabackslash(\).
ExamplesofselectiondataintheQRcode
Value Notes1:2 Firstcontest,secondcandidatemarked.2:3,4 Secondcontest,candidates3and4marked5:1,2-“ThomasJefferson” Fifthcontest,firstcandidatemarked.Secondcandidatemarked(awritein)withthe
valueThomasJeffersonentered.6:3-“Jim\”Jimmy\”Smith” Sixthcontext,thirdcandidate(awritein)selectedwithJim“Jimmy”Smithentered.
AppendixD:SecureSelectTechnicalDetails
1. ArchitectureandCodebaseSecureSelectisdesignedtohaveaflexiblearchitecture.BelowistherecommendedarchitectureusingathirdpartyvendorforvoteridentificationandDemocracyLivetohostSecureSelectasSoftwareasaService(SAAS).
Page22of26
1.1. SecureHostingDemocracyLiveutilizesaproven,cloudbasedplatformtosecurelyhostSecureSelect.Ourhostingprovider’scomputingenvironmentsarecontinuouslyaudited,withcertificationsfromaccreditationbodiesacrossgeographiesandverticals,includingISO27001,FedRAMP,DoDCSM,andPCIDSS.
Byoperatinginanaccreditedenvironment,DemocracyLivereducesthescopeandcostofauditsneeded,allowingustofocusonourareaofexpertise.Ourhostingprovidercontinuouslyundergoesassessmentsofitsunderlyinginfrastructure—includingthephysicalandenvironmentalsecurityofitshardwareanddatacenters—socustomerscantakeadvantageofthosecertificationsandsimplyinherentthosecontrols.
Inatraditionaldatacenter,commoncomplianceactivitiesareoftenmanual,periodicactivities.Theseactivitiesincludeverifyingassetconfigurationsandreportingonadministrativeactivities.Moreover,theresultingreportsareoutofdatebeforetheyareevenpublished.OperatinginanaccreditedenvironmentallowsDemocracyLivetotakeadvantageofembedded,automatedtoolsforvalidatingcompliance.Thesetoolsreducetheeffortneededtoperformaudits,sincethesetasksbecomeroutine,ongoing,andautomated.
1.1.1. PhysicalSecurityOurhostingprovider’sdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Thedatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolledbothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
Ourhostingprovideronlyprovidesdatacenteraccessandinformationtoemployeesandcontractorswhohavealegitimatebusinessneedforsuchprivileges.Whenanemployeenolongerhasabusinessneedfortheseprivileges,hisorheraccessisimmediatelyrevoked,eveniftheycontinuetobeanemployee.Allphysicalaccesstodatacentersbyemployeesisloggedandauditedroutinely.
1.1.2. NetworkSecurityDemocracyLiveutilizesseveralsecuritycapabilitiesandservicestoincreaseprivacyandcontrolnetworkaccess.Theseinclude:
• Built-infirewallsthatallowcreationofprivatenetworks,andcontrolnetworkaccesstoinstancesandsubnets• EncryptionintransitwithTLSacrossallservices• Connectivityoptionsthatenableprivate,ordedicated,connectionsfromDemocracyLiveofficesoron-premises
environments• DDoSmitigationtechnologiesaspartourauto-scalingstrategy
1.1.3. InventoryandConfigurationManagementDemocracyLiveserveradministratorsdeployandmonitorSecureSelectserversusingaseriesoftoolsincluding:
• Deploymenttoolstomanagethecreationanddecommissioningofresources
Page23of26
• Inventoryandconfigurationmanagementtoolstoidentifyresourcesandthentrackandmanagechangestothoseresourcesovertime
• Templatedefinitionandmanagementtoolstocreatestandard,preconfigured,hardenedvirtualmachines• Containerizedenvironmentsbasedonsecureimagesensuringquickscalingandreproducibleenvironments
1.1.4. AccessControlDemocracyLiveserveradministratorsdefine,enforce,andmanageuseraccesspoliciesacrossservices.Theseinclude:
• Identityandaccessmanagementcapabilitiestodefineindividualuseraccountswithpermissionsacrossresources
• Multifactorauthenticationforprivilegedaccounts• Integration,andfederation,withcorporateactivedirectory
1.1.5. MonitoringandLoggingDemocracyLiveserveradministratorsutilizetoolstomonitorourserverenvironment.Theseinclude:
• DeepvisibilityintoAPIcalls,includingwho,what,when,andfromwherecallsweremade• Logaggregationandoptions,streamlininginvestigationsandcompliancereporting• Alertnotificationswhenspecificeventsoccurorthresholdsareexceeded
1.2. ScalableArchitectureUsingautomaticscaling,SecureSelectstaysonlineandresponsivetovotersevenduringtrafficspikesaroundcriticalelectiondates.SecureSelectisbuiltusingastatelessserverarchitecturemakingispossibletodynamicallyprovisionnewservernodeswithoutmanualinteractionfromaserveradministrator.CPUandmemoryutilizationonSecureSelectserversaremonitored24/7.IftheCPUormemoryusageofaserversurpassesathreshold,automaticscalinginvokesthefollowingsteps:
AnewSecureSelectserver(node)isprovisioned. Oncethenewnodereachesasteadystate(ithasstartedup),ahealthcheckisperformedonthenode
a. Ifthenodeishealthy,itisaddedtotheloadbalancer.b. Ifthenewnodeisunhealthy,itisdeprovisionedandtheprocessrepeatsatStep1.
Trafficisnowdistributedevenlyacrossallnodesincludingthenewnode.
ThisprocesswillrepeatuntilCPUandmemoryusageonallserversisatanacceptablelevel.
Page24of26
1.3. FlexibleArchitectureSecureSelectcanbeutilizedinavarietyofdifferentconfigurationstomeettheneedsofanystateorcounty.ThefollowingdiagramshowsseveralpossibleconfigurationsincludingoptionsforcountyorstatehostingoftheSecureSelectapplication.
1.4. ApplicationReviewandCertificationSecureSelectiscomposedoftwomaincomponentswithacompletecodebaseunder2,500linesofcode.Thismakesafullcodebasereviewpossibleinjustamatterofhours.Theentireapplicationisjustunder20MB.
1.4.1. HTML5ApplicationTheHTML5applicationiswrittenusingtheAngularJSframeworkusingHTMLandTypeScript.Theentireapplicationhasbeenwritteninunder1,600linesofTypeScriptcodeandunder300linesofHTMLwithanaverageoflessthan100linesofcodeperfile.
Page25of26
1.4.2. WebServerThewebserverisresponsibleforhostingtheHTML5application,alongwithdownloading,sanitizing,andpreparingballotdata.ThewebservercanberunonanyVirtualMachinewithnoserverrequirements.Thewebserverportisconfigurablesuchthatitcanruninparallelwithexistingwebservers(Apache,NGINX,etc).Thisprovidesadministratorswithcompleteflexibilityusingneworexistinginfrastructure.
ThewebservercodebaseiswritteninGo1.7andisunder250linesofcode.
2. SourceCodeVerificationAhashcodeisauniquecharacterstringcreatedbyaone-wayencryptionofanydata.SecureSelectprovidesaverificationpagewhichdisplaysahashcodegeneratedfromthetextofeveryfileandexecutableintheapplication.Thishashcodecanbestoredforcomparisonafterpre-electionverification.Toassurethatnochangeshavebeenmadetothecodebase,theverificationpagecanbeusedtocomparehashcodesatanytimetoverifythecodebasehasnotbeenchanged.
2.1. StoringtheSecureSelectHashCodeAfteraversionofSecureSelectisapproved,anyonecanaccesstheSecureSelectverificationpage(https://ss.liveballot.com/verify)toviewtheCurrentHash.TheCurrentHashisauniquehashcodegeneratedfromeveryfileinSecureSelect.Thiscodewillchangeifanylineofcodeintheapplicationchanges.TheCaliforniaSecretaryofStatecanrecordthiscodeforfuturereference.
2.2. HowtouseHashCodeVerificationAtanypointinthefuture,theSecureSelectVerificationpagecanbeaccessed.Simplyenterthehashcodesavedonrecordtoverifynochangeshavebeenmade.Ifanychangestothesourcecodehavebeenmade,theSecureSelecthashcodewillnotmatchthehashcodesavedafterapproval.Differenthashcodesareclearlydisplayedtotheadministratorverifyingthesystem.
Page26of26
AppendixE:AcceptanceTestingTables1.0GeneralFunctionality Status1.1 Candidatescanbeselectedanddeselectedbyclickingonname. 1.2 Candidatescanbeselectedanddeselectedbyclickingonthecheckbox. 1.3 Over-votingisnotallowed. 1.3.1 Awarningispresentedwhenanover-voteisattempted. 1.4 Atextfieldappearswhenselectingawrite-in. 1.4.1 Acandidatenamecanbetypedintoawrite-infield. 1.4.2 Deselectingawrite-incheckboxclearsthecandidatenameentered. 1.5 SelectionsrepresentedontheReviewPagerepresentselectionsmadeontheBallotMarkingPage. 1.5.1 A“NoSelections”warningisshownforanycontestsmissingselections. 1.5.2 Under-votesareclearlyidentifiedontheReviewPage. 1.5.3 Write-incandidatesaredisplayedontheReviewPage. 1.6 Voterscanchangetheirselections. 1.7 TheprintedballotaccuratelydisplaysselectionsontheReviewPage. 1.7.1 Onlyselectionsmadearepresentedontheprintedballot(notallcandidates). 1.7.2 Write-insareshownontheprintedballot. 1.8 Afterendingtheusersessionandreturningtotheapplication,selectionsarenolongervisible.
2.0ScreenReaderAccessibility Status2.1 Allfunctionalityin1.0isaccessibleusingscreenreaderkeyboardcommands. 2.2 Verifytheon-screeninstructionsonpageonearenotreadbythescreenreader. 2.3 Over-votewarningsareclearlyreadbyscreenreaderwhenattemptingtoover-vote. 2.4 Screenreaderclearlyidentifiesselectedandunselectedcandidateswhennavigatingtheballot.
3.0KeyboardAccessibility Status3.1 Allfunctionalityin1.0isaccessibleusingonlythekeyboard. 3.2 Keyboardcontrolspresentedintheon-screeninstructionsoperateasexpected. 3.2.1 Theupanddownarrowkeysmovekeyboardfocusupanddown. 3.2.2 The+keyzoomstextupto200%oftheoriginalsize. 3.2.3 The–keyshrinkstextdowntotheoriginalsize. 3.2.4 Thespacebarcanbeusedtoactivateanitem. 3.3 Keyboardfocusisvisuallyidentifiedonscreen.
4.0AccurateBallotDisplay Status4.1 Conteststitles,subtitles,andtextdisplaycorrectly. 4.1.1 Contestorderiscorrect. 4.1.2 Contestshavethecorrectheader. 4.2 Candidatetitlesandsubtextdisplaycorrectly. 4.2.1 Candidatesdisplayinthecorrectorder. 4.3 Write-insdisplaycorrectly. 4.3.1 Thecorrectnumberofwrite-insdisplay.
5.0VoterPrivacy Status5.1 Nonetworkcommunicationismadewhileperformingallstepsin1.0 5.1.1 Nonetworkactivityoccurswhenmarkingaselection. 5.1.2 Nonetworkactivityoccurswhenprintingselections.