Harrisburg, PA – Acting Secretary of State Veronica W. Degraffenreid has issued a directive prohibiting third-party access to electronic voting systems, addressing requests that counties allow outside entities not involved with the conduct of elections to review and copy the internal electronic, software, mechanical, logic, and related components of Pennsylvania's voting systems.
"Such access by third parties undermines chain of custody requirements and strict access limitations necessary to prevent both intentional and inadvertent tampering with electronic voting systems," Secretary Degraffenreid said. "It also jeopardizes the security and integrity of the systems and will prevent electronic voting system vendors from affirming that the systems continue to meet Commonwealth security standards and U.S. Election Assistance Commission certification."
Earlier this week, a request was sent to the boards of elections in Philadelphia, Tioga and York counties, directing them to turn over all cast ballots and balloting materials from the November 2020 general election and the May 2021 primary. The request also included unprecedented and intrusive access to electronic voting equipment.
In response, the Department said it would use every available avenue to prevent such disruption of the electoral process. It also reminded counties that the federal government has designated voting equipment as Critical Infrastructure, severely limiting access by outside parties.
The directive states that county boards of elections shall not provide physical, electronic, or internal access to third parties seeking to copy and/or conduct an examination of state-certified electronic voting systems, or any components of such systems. If such access occurs, those pieces of voting equipment will be considered no longer secure or reliable to use in subsequent elections, and the Department of State will withdraw its certification of the equipment.
The directive told counties that allowing third-party access would result in them being required to replace their voting systems, just purchased in all Pennsylvania counties in 2019 or early 2020.
"We have already had two legal audits and dozens of legal opinions all stating the same thing, there was no widespread fraud in Pennsylvania. No counties should comply with these 'demands,' and if they do there will be substantial costs to counties and voters, including disclosure of personal data," said Attorney General Josh Shapiro. "The Department of State's directive clearly states that turning voting machines over to third parties jeopardizes the security of future elections. Any county that chooses to risk the safety of our elections by complying with the demand letter will not be reimbursed for the cost of replacing voting machines, which would leave taxpayers in these counties on the hook for millions of dollars."
Below is the content of the directive in its entirety:
DIRECTIVE CONCERNING ACCESS TO ELECTRONIC VOTING SYSTEMS, INCLUDING BUT NOT LIMITED TO THE IMAGING OF SOFTWARE AND MEMORY FILES, ACCESS TO RELATED INTERNAL COMPONENTS, AND THE CONSEQUENCES TO COUNTY BOARDS OF ALLOWING SUCH ACCESS
July 8, 2021
Directive 1 of 2021
The following Directive is issued July 8, 2021, by the Secretary of the Commonwealth pursuant to authority contained at Section 1105-A(a) of the Pennsylvania Election Code, 25 P.S. 3031.5(a).
1. Background. The Secretary of the Commonwealth ("Secretary") has duties pursuant to Article XI-A of the Pennsylvania Election Code, Sections 1101-A through 1122-A, to examine, evaluate and certify electronic voting systems. These reviews include verifying that the voting system conforms to federal and state law and any regulations or standards regarding confidentiality, security, accuracy, safety, reliability, usability, accessibility, durability, resiliency, and auditability. This is in addition to the Federal testing and certification undertaken by the U.S. Election Assistance Commission.
The U.S. Federal Government has played a leading role in efforts to ensure that security and resiliency of infrastructure fulfilling unique and crucial aspects in our society are identified and protected. Executive Order 13636, issued February 12, 2013, focuses on measures required for infrastructure security. In January 2017, the U.S. Department of Homeland Security designated election infrastructure as critical infrastructure under the "Government Facilities" sector, one of the 16 critical infrastructure sectors in the United States. The Pennsylvania Department of State recognized the significance of this designation while it was developing the security standards for certification of voting systems to be used in Pennsylvania elections. As a result, during the Department's examination, each voting system successfully completed penetration testing, access control testing and testing to ensure that every access point and all software and firmware are protected from tampering prior to certification by the Secretary.
2. Third-Party Access to Electronic Voting Systems. Demands have been made to allow third-party entities not directly involved with the conduct of elections to have access to electronic voting systems, specifically to review and copy the internal electronic, software, mechanical, logic, and related components of such systems. These demands have included the desire to image electronic memory spaces, to download operating systems and software, and to copy information that is internal and proprietary. Such access by third parties undermines chain of custody requirements and strict access limitations necessary to prevent both intentional and inadvertent tampering with electronic voting systems. It also jeopardizes the security and integrity of those systems and will negate the ability of electronic voting system vendors to affirmatively state that such systems continue to meet Commonwealth security standards, are validated as not posing security risks, and are able to be certified to perform as designed by the electronic voting system vendor and as certified by both the U.S. Election Assistance Commission and the Department of State.
3. Limits on Third-Party Access to Electronic Voting Systems. The following directive is effective immediately:
a. County Boards of Elections shall not provide physical, electronic, or internal access to third parties seeking to copy and/or conduct an examination of state-certified electronic voting systems, or any components of such systems, including but not limited to: election management software and systems, tabulators, scanners, counters, automatic tabulating equipment, voting devices, servers, ballot marking devices, paper ballot or ballot card printers, portable memory media devices (thumb drives, flash drives and the like), and any other hardware, software or devices being used as part of the election management system.
b. If access described in Paragraph 3.a. occurs, those pieces of voting equipment will be considered no longer secure or reliable to use in subsequent elections. As a result, the Department of State will withdraw the certification or use authority for those pieces of the county voting system. This directive is specific to the impacted pieces of the county electronic voting system and does not impact the certification of the underlying voting system nor does it impact other pieces of a county's voting system that has not been accessed/copied by a third-party.
c. The Commonwealth of Pennsylvania will not reimburse any cost of replacement voting equipment for which certification or use authority has been withdrawn pursuant to this directive.
4. Notice. County Boards of Elections shall notify the Secretary immediately upon receipt of any written or verbal request for third-party access to an electronic voting system, or any component thereof. In addition, County Boards of Elections and voting system vendors have an affirmative duty to notify the Secretary immediately of any breach or attempted breach in the chain of custody of its voting system components.
5. Other Obligations of County Boards of Elections Regarding Third-Party Requests for Access to Election-Related Material. County Boards of Elections are advised to:
a. Review all contracts, lease agreements, or other documents evidencing agreements between vendors and the county to determine the contractual impacts of providing any such requested access.
b. Comply with federal law regarding the retention and preservation of records.
c. Protect the privacy of voters as required by the Constitution and state law.
6. Future Actions. This Directive shall remain in force until cancelled or rescinded by the Secretary of the Commonwealth, by a subsequent Directive, or by another issuance.
MEDIA CONTACT: Wanda Murren, 717-783-1621