* The information provided below is compiled from various independent organizations working on election defense. US BASE cannot verify the accuracy of all data. Additionally we cannot vet every state or local organization working on election defense.
Ohio Technology in Use
Verified Voting Foundation
* Note that "Paper Ballot" in the map below typically designates paper ballots counted by an electronic scanning device.
Center for American Progress State by State Voting System Report
See State Grade Below
"In August 2017, the Center for American Progress released a report entitled “9 Solutions for Securing America’s Elections,” laying out nine vulnerabilities in election infrastructure and solutions to help improve election security in time for the 2018 and 2020 elections. This report builds on that analysis to provide an overview of election security and preparedness in each state, looking specifically at state requirements and practices related to:
1. Minimum cybersecurity standards for voter registration systems
2. Voter-verified paper ballots
3. Post-election audits that test election results
4. Ballot accounting and reconciliation
5. Return of voted paper absentee ballots
6. Voting machine certification requirements
7. Pre-election logic and accuracy testing
This report provides an overview of state compliance with baseline standards to protect their elections from hacking and machine malfunction. Some experts may contend that additional standards, beyond those mentioned here, should be required of states to improve election security. The chief purpose of this report is to provide information on how states are faring in meeting even the minimum standards necessary to help secure their elections.
It is important to note at the outset that this report is not meant to be comprehen- sive of all practices that touch on issues of election security. We recognize that local jurisdictions sometimes have different or supplemental requirements and proce- dures from those required by the state. However, this report only considers state requirements reflected in statutes and regulations and does not include the more granular—and voluminous—information on more localized practices. Furthermore, this report does not address specific information technology (IT) requirements for voting machine hardware, software, or the design of pre-election testing ballots and system programming. And while we consider some minimum cybersecurity best practices, we do not analyze specific cyberinfrastructure or system programming requirements. These technical standards and protocols deserve analysis by computer scientists and IT professionals who have the necessary expertise to adequately assess the sufficiency of state requirements in those specialized areas."
Ohio uses paper ballots and voting machines that provide a paper record, but its post-election audit requirements are lacking important criteria. For example, the number of ballots included in an audit is based on a fixed percentage rather than a statistically significant number tied to the margin of victory in one or more ballot contests. The state’s ballot accounting and reconciliation procedures also need improvement. The state did earn points for requiring that all voting machines be tested to EAC Voluntary Voting System Guidelines and for requiring election officials to carry out pre-election logic and accuracy testing on all machines that will be used in an upcoming election. It also exercises good practices by prohibiting voters stationed or living overseas from returning voted ballots electronically. In Ohio, all voted ballots are returned by mail or delivered in person.
Despite numerous attempts to speak to someone in state government about the cybersecurity standards for the state’s voter registration system, state officials did not respond to requests for information and comment on our research, and we were unable to locate all of the information independently. If Ohio is adhering to all of the minimum cybersecurity best practices for voter registration systems, it would receive a “good” score—worth 3 points—for that category, bringing its grade up to a B.
To improve its overall election security, Ohio should immediately update its postelection audit requirements to ensure that they adequately test the accuracy of election outcomes with a high degree of confidence. In doing so, the state should look to codify risk-limiting audits like those in Colorado as a potential model. Given the threat posed by sophisticated nation-states seeking to disrupt U.S. elections, it is imperative that post-election audits test the accuracy of election outcomes and detect any possible manipulation. Ohio should also firm up its ballot accounting and reconciliation procedures. For example, the state should explicitly require that precincts using DRE machines with VVPR compare and reconcile the number of ballots with the number of voters who signed in at the polling place. At the same time, counties should be required to compare and reconcile precinct totals with composite results to confirm they add up to the correct number.
Minimum cybersecurity standards for voter registration system: Incomplete
*State officials did not respond to our requests for information and comment on cybersecurity requirements for the state’s voter registration system. Information gathered for this section derives from independent research. If Ohio does require the missing cybersecurity best practices, its grade would be raised from a C to a B.
The state’s voter registration system is estimated to be at least 10 years old.
State officials were unable to provide us with information on whether the state’s voter registration system provides access control to ensure that only authorized personnel have access to the database.
State officials were unable to provide us with information on whether the state’s voter registration system has logging capabilities to track modifications to the database.
State officials were unable to provide us with information on whether the state’s voter registration system includes an intrusion detection system that monitors incoming and outgoing traffic for irregularities.
State officials were unable to provide us with information on whether the state performs regular vulnerability analysis on its voter registration system.
The state has enlisted the National Guard and has worked with DHS to help assess and identify potential threats to its voter registration system.
State officials were unable to provide us with information on whether the state provides cybersecurity training to election officials.
Electronic poll books are used by some, but not all, jurisdictions in the state. The state conducts pre-election testing on electronic poll books prior to an election. Paper voter registration lists are available at polling places that use electronic poll books on Election Day.
Voter-verified paper audit trail: Fair
Depending on the jurisdiction, some voters in Ohio cast paper ballots, while others vote using DRE machines with VVPR.
Post-election audits: Fair
The state conducts mandatory post-election audits. While jurisdictions may use a “simple, percentage-based post-election audit or a risk-limiting audit,” the state recommends conducting risk-limiting audits.
The state’s post-election audits are conducted through manual hand count.
It is within the discretion of the county board of elections whether to carry out the audit by precinct, polling place, or by individual voting machine, though “[i]t is preferable to audit the smallest unit available.” The number of units Legislation introduced in January 2018 would require Ohio to conduct elections exclusively by paper ballot, establish a cybersecurity directory within the Secretary of State’s Office, and put into place a cybersecurity advisory council with an eye towards making Ohio elections more secure. 145 Center for American Progress | Election Security in All 50 States included in the audit must “equal at least 5% of the total number of votes cast for the county.“ If auditing by precinct and the precinct’s vote count is greater than or equal to 5 percent, an additional precinct must be audited. The same is true if auditing by polling place. Audits include at least three ballot contests, including one top-of-the-ticket race, at least one other statewide race, and at least one non-statewide contest.
The election units included in the audit are selected randomly.
All categories of ballots—regular, early voting, absentee, provisional, and UOCAVA—are eligible for auditing.
Escalation is required if a county audit’s “accuracy rate is less than 99.5% in a contest with a certified margin that is at least 1% (calculated as a percentage of ballots cast on which the contest appeared), or less than 99.8% in a contest with a certified margin that is less than 1%. Escalation entails drawing a second random sample of at least 5% of votes cast, selected from units that were not audited in the original sample, and auditing the ballots (using the same procedures) with respect to any such contest. If, after the second round of auditing, the accuracy rate from the two samples is below 99.5%, the county shall investigate the cause of the discrepancy and report its findings to the Secretary of State’s Office,” at which point the secretary of state may order a full manual recount.
Audits are open to the public and the results are made publicly available.
Although audits are carried out after certification, an audit can reverse or correct election outcomes if an error is detected.
Ballot accounting and reconciliation: Unsatisfactory
All ballots are accounted for at the precinct level.
Precincts using paper ballots are required to compare and reconcile the number of ballots with the number of voters who signed in at the polling place, though it is unclear whether these requirements also apply to jurisdictions using DRE machines.
Counties are not explicitly required to compare and reconcile precinct totals with countywide results to ensure that they add up to the correct amount.
There is no statutorily mandated review process to ensure that all voting machine memory cards have been properly loaded onto the tally server at the county level.
While state law requires that election results be made public, it is unclear whether the same is true of information regarding ballot reconciliation processes and results.
Paper absentee ballots: Fair
The state does not permit voters—including UOCAVA voters—to submit completed ballots electronically. All ballots must be returned by mail or delivered in person.
Voting machine certification requirements: Fair
Before they may be purchased and used in the state, all voting machines must be certified by the Election Assistance Commission.
Some jurisdictions in the state likely still use voting machines that were purchased more than a decade ago.
Pre-election logic and accuracy testing: Fair
Election officials conduct mandatory logic and accuracy testing on all voting machines prior to an election.
Testing is open to the public.
The law does not specify precisely when testing must be carried out.