* The information provided below is compiled from various independent organizations working on election defense. US BASE cannot verify the accuracy of all data. Additionally we cannot vet every state or local organization working on election defense.
Florida Technology in Use
Verified Voting Foundation
* Note that "Paper Ballot" in the map below typically designates paper ballots counted by an electronic scanning device.
Florida Election Security Grade: F
Center for American Progress Report
"In August 2017, the Center for American Progress released a report entitled “9 Solutions for Securing America’s Elections,” laying out nine vulnerabilities in election infrastructure and solutions to help improve election security in time for the 2018 and 2020 elections. This report builds on that analysis to provide an overview of election security and preparedness in each state, looking specifically at state requirements and practices related to:
1. Minimum cybersecurity standards for voter registration systems
2. Voter-verified paper ballots
3. Post-election audits that test election results
4. Ballot accounting and reconciliation
5. Return of voted paper absentee ballots
6. Voting machine certification requirements
7. Pre-election logic and accuracy testing
This report provides an overview of state compliance with baseline standards to protect their elections from hacking and machine malfunction. Some experts may contend that additional standards, beyond those mentioned here, should be required of states to improve election security. The chief purpose of this report is to provide information on how states are faring in meeting even the minimum standards necessary to help secure their elections.
It is important to note at the outset that this report is not meant to be comprehen- sive of all practices that touch on issues of election security. We recognize that local jurisdictions sometimes have different or supplemental requirements and proce- dures from those required by the state. However, this report only considers state requirements reflected in statutes and regulations and does not include the more granular—and voluminous—information on more localized practices. Furthermore, this report does not address specific information technology (IT) requirements for voting machine hardware, software, or the design of pre-election testing ballots and system programming. And while we consider some minimum cybersecurity best practices, we do not analyze specific cyberinfrastructure or system programming requirements. These technical standards and protocols deserve analysis by computer scientists and IT professionals who have the necessary expertise to adequately assess the sufficiency of state requirements in those specialized areas."
Florida allows voting using machines that do not provide a paper record and fails to mandate robust post-election audits that test the accuracy of election outcomes, which does not provide confirmation that ballots are cast as the voter intends and counted as cast. Currently, post-election audits may be conducted by electronic automated retabulation, which is vulnerable to hacking. Moreover, the scope of an audit is tied to a fixed percentage rather than a statistically significant number based on the margin of victory in one or more ballot contests. Also problematic is the fact that audits are carried out after certification and are not binding on elec- tion outcomes even if they are found to be erroneous. Adding to this is the fact that voters stationed or living overseas are permitted to return voted ballots electronically by fax, a practice warned by election security experts as notoriously insecure. Furthermore, state law does not explicitly require voting machines to be tested to EAC Voluntary Voting System Guidelines before being purchased or used in the state. Its ballot accounting and reconciliation procedures also need improvement. Florida did earn points for requiring election officials to carry out logic and accu- racy testing on all voting machines that will be used in an upcoming election.
Despite numerous attempts to speak to someone in state government about the cybersecurity standards for the state’s voter registration system, state officials told us they would not provide information or comment on our research; the state receives an incomplete, as we were unable to locate all the information for the cat- egory independently. Even if Florida is adhering to all of the minimum cybersecu- rity best practices for voter registration systems its overall grade would not change, given the point distribution for the other categories.
To improve its overall election security, Florida should stop using paperless DRE machines and strengthen its post-election audit requirements. Florida’s elec- tions will remain vulnerable to sophisticated nation-states so long as jurisdic- tions continue using voting machines that do not provide a paper record and the state fails to carry out robust post-election audits that test the accuracy of elec- tion outcomes. By requiring statewide use of paper ballots and strengthening its post-election audit procedures, the security of Florida’s elections could be greatly improved. Florida should also explicitly require all voting machines to be tested to EAC Voluntary Voting System Guidelines prior to being purchased and used in the state. Even if all voting machines are currently EAC-certified, this requirement should be codified by law for future purchases. Finally, regarding ballot accounting and reconciliation, officials at the county level should be required to compare and reconcile precinct totals with composite results to confirm that they add up to the correct number.
Minimum cybersecurity standards for voter registration system: Incomplete
*State officials told us they would not participate in our research and therefore were unable to provide us information on cybersecurity requirements for the state’s voter regis- tration system. Information gathered for this section derives from independent research.
The state’s voter registration system is estimated to be at least 10 years old.
The state’s voter registration system provides access control to ensure that only authorized personnel can access the database.
State officials were unable to provide us with information on whether the state’s voter registration system has logging capabilities to track modifications to the database.
State officials were unable to provide us with information on whether the state’s voter registration system includes an intrusion detection system that monitors incoming and outgoing traffic for irregularities.
The state performs regular vulnerability assessments on its voter registration system.
The state has enlisted DHS to help assess and identify potential threats to its voter registration system and election infrastructure.
State officials were unable to provide us with information on whether the state provides cybersecurity training to election officials.
Electronic poll books are used by some, but not all, jurisdictions in the state.
- Some localities provide backup paper copies of voter registration lists at polling places that use electronic poll books, while others are entirely paperless. Pre-election testing of electronic poll books is left up to the counties that use them.
Voter-verified paper audit trail: Unsatisfactory
- Depending on the jurisdiction, some voters in Florida cast paper ballots, while others vote using paperless DRE machines.395
Post-election audits: Unsatisfactory
While Florida conducts a form of post-election review, its use of paperless DRE machines prevents it from carrying out audits that can confirm the accuracy of election outcomes.
The audit may be conducted by manual hand count or electronically through auto- mated retabulation.396 The process differs slightly depending on the method.
A manual audit consists of a hand count of the votes cast in one randomly selected ballot contest. Such audits include at least 1 percent but no more than 2 percent of precincts. An automated audit consists of a retabulation of votes cast across every ballot contest. Such audits include at least 20 percent of precincts.
The precincts included in the audit are randomly selected.
All categories of ballots—regular, early voting, absentee, provisional, and UOCAVA—are eligible for auditing.
There is no statutory requirement that an audit escalate in the event that preliminary outcomes are found to be incorrect.
Audits are open to the public and results are made public within seven days following certification.
Audits take place after certification of the official election results.
- There is no statutory requirement on whether an audit can reverse electionresults if an error is detected.
Ballot accounting and reconciliation: Unsatisfactory
All ballots are accounted for at the precinct level.
Precincts are required to compare and reconcile the number of ballots with the number of voters who signed in at the polling place.
Counties are not explicitly required to compare and reconcile precinct totals with countywide results to ensure that they add up to the correct amount.
There is no statutorily mandated review process at the county level to ensure that all voting machine memory cards have been properly loaded onto the tally server.
The state requires that all election results and reconciliation procedures be made public.
Paper absentee ballots: Unsatisfactory
- Florida permits UOCAVA voters to submit completed ballots electronically via fax.
Voting machine certification requirements: Unsatisfactory
The state does not require voting machines to meet federal requirements before they are purchased and used in elections in the state.
- Some jurisdictions in the state likely still use voting machines that were pur- chased more than a decade ago.
Pre-election logic and accuracy testing: Fair
Election officials conduct mandatory logic and accuracy testing on all voting machines prior to an election.
Testing is open to the public.
Testing occurs within 10 days before early voting begins.