Election Security

Technological Security

• San Francisco’s voting system has been certified by the Secretary of State (SOS). As part of this process, the SOS conducted source code review and evaluation, hardware and software security penetration, open-ended vulnerability, and operational testing to validate the system’s performance and functioning under normal and abnormal conditions and to identify and resolve or mitigate vulnerabilities.
• California voting systems are not connected to the internet at any time. Therefore, no part of San Francisco’s voting system electronically receives or transmits election data through an external network and every local voter uses a paper ballot to cast their vote. In addition, to create an auditable record of every vote cast, our voting system produces publicly verifiable and sortable digital image files of voted ballots; these files also include notes regarding how the system interpreted each ballot’s vote-marks.
• We use only the trusted build software provided by the SOS. Before every election, we confirm the voting system is identical to the SOS supplied trusted build by reinstalling the trusted build or utilizing the SOS trusted build cryptographic HASH to ensure it matches the approved version and has not been modified.
• Any modifications to a voting system, including additions, and/or deletions of certified firmware, software, or hardware, must be authorized by the Secretary of State.
• Our voting system components are stored in a secure facility protected by physical intrusion prevention security controls and safeguards. We follow strict chain of custody requirements for all voting technology software, firmware, and hardware; they meet federal guidance from the Department of Justice, the Cybersecurity and Infrastructure Security Agency, and the Election Assistance Commission.
• Prior to each election, we conduct thorough Logic & Accuracy testing on every piece of voting equipment to be used. Staff use batches of pre-marked ballots, process them, and then compare the actual results to expected results in order to verify each unit and the system as a whole is functioning a) mechanically (i.e., ballots are fed correctly through belts and rollers without jamming), b) logically (i.e., the unit recognizes the ballot type), and c) accurately (i.e., the system reads, tabulates, and reports the correct total vote numbers).
• After each election, we conduct a post-election manual tally. As part of this public process, we manually count all of the standard ballots cast in 1% (one percent) of randomly chosen San Francisco precincts, as well as 1% of randomly-chosen citywide vote-by-mail and provisional ballots. We conduct this manual tally to verify mathematically that the voting equipment properly tabulated ballots and accurately reported results. After each election, we also conduct a post-election risk-limiting audit as an extra check. 
• We apply SHA-512 cryptographic hashing to all election results reports to establish the integrity of the results in a verifiable manner.

Voter Data Security

• The Department does not include any personal information that identifies specific voters in the website applications that are public facing to protect voters’ personal data from unauthorized access.
• The Department’s web applications that provide voters information such as the status of their vote-by-ballot, provisional ballot, registration record, and polling place locations reside on an offsite server and are protected by Cloudflare, which offers multiple security functions.
• We follow strict protocols in verifying the eligibility and identity of every registered voter. As part of those protocols, we regularly review and update San Francisco’s voter registration database. For example, we coordinate with the Department of Public Health and other government agencies that track deaths to remove deceased voters from the voter roll. We also work with the USPS National Change of Address program to ensure voter records are up to date.
• When a mail ballot envelope is returned by a voter, we verify the sender’s identity using a rigorous three-person signature verification process. Only if the signature on a return envelope compares to the signature(s) in the recipient voter’s registration record will the ballot be accepted for further processing and counting. If we cannot find a comparable signature on file for a returned mail ballot, we attempt to contact the recipient voter in order to give them a chance to update their registration record. If they do so before certification of the election, we can count their ballot and include their selections in election results.
• Every polling place is issued a precinct roster. The roster lists names and addresses of voters registered in that precinct. Poll workers are trained to offer a provisional ballot to anyone whose eligibility is in question – this ballot will only be counted if the voter is eligible.
• We maintain a documented, multi-person chain of custody for ballot handling and processing tasks. All elections workers handling ballots must review current security rules and sign an acknowledgement of those rules. Deputy Sheriffs escort elections workers during voted ballot collection from official ballot boxes.  
• Every San Francisco poll worker must complete a comprehensive training and sign the Poll Worker Oath before serving on Election Day. This training provides detailed instructions on how to maintain security during set-up, voting hours, and closing. Poll workers also post a ballot accounting at closing.
• All Department of Elections employees must sign and adhere to the rules given in the Acknowledgement of Election Integrity Laws and Security Protocols; they must also review and comply with the Department’s Statement of Incompatible Activities.
• The tamper-free design of San Francisco’s official ballot drop boxes complies with strict and specific state regulations. For example, each of our 37 ballot drop boxes is made of heavy, high-grade metal, bolted to the ground, and features minimally sized ballot insertion slots and fireproof material.
• While processing returned ballots, elections workers follow strict operational rules. These rules protect the overall integrity of the election (e.g., one person, one vote) as well as individual voter rights (e.g., the right to cast a secret ballot). Mail ballots remain in their return envelopes until being accepted and are kept face down after being opened. In-person voters are provided with either privacy folders or ballot return envelopes (provisional voters).  
• We maintain systems that allow local voters to easily track their mail ballot from assembly up through mailing and processing. In-person voters can scan their ballots at the polls and confirm that ballots have been tabulated by the voting equipment.

Frequently Asked Questions

What is the Department of Elections doing to prevent election misinformation and disinformation?

At the San Francisco Department of Elections, we are taking a proactive approach to this heightened concern. Our strategies include:

• Publishing clear, easy-to-understand information on sf.gov and sfelections.org and in our printed materials.
• Providing robust outreach through notices, press releases, social media, and live presentations.
• Monitoring and responding to any false information posted on public media with official facts.
• Notifying all locally registered voters about key election dates, rules, operational changes, etc.
• Engaging with residents and outreach partners at various events (see our outreach calendar at sfelections.org/events.)

What can I do as a voter or interested party to help keep elections secure?

There are a number of things you can do to help protect the integrity of our elections! Here are some suggestions to help you get started:

• Check your voter registration record regularly to make sure all information, including your address, is correct and update it as necessary.  
• Follow us (@SFElections) on Facebook, Instagram, X (Twitter), YouTube, and Nextdoor.  
• Read official news, updates, and public notices sent directly to your email by subscribing to our mailing list.
• Serve as a poll worker or an elections observer (you can observe election processes in person or via live streaming).
• Report misinformation to the Secretary of State’s office at VoteSure@sos.ca.gov and the Department of Elections at sfvote@sfgov.org.
• Report voting suspicious activity, such as fraud, corruption, or tampering, to any of the following:
  • A poll worker or our office at 415-554-4375.
  • Our District Attorney at 628-652-4311.
  • Our Secretary of State at 800-345-8683.

Is online voting allowed?

No. State law prohibits online voting, which in this context means the casting of a ballot. At polling places, a voter may mark and print a paper ballot using a ballot-marking device and have the ballot scanned and tabulated by the voting equipment. Similarly, the Accessible Vote-by-Mail system, which, by law, every county in the state is required to maintain, allows any local voter to download and mark a PDF ballot. However, the AVBM system does not store, track, or count any selections and the printout must be returned in an envelope, just like a regular vote-by-mail ballot. (AVBM is mainly used by local voters with disabilities or working abroad.)

Why don’t election officials in California check voter IDs?

In California, voters are not required to show identification when voting, except under certain circumstances. Only first-time voters voting in a federal election for the first time and who registered by mail and did not provide a Driver’s License number or Social Security number will be asked to provide one of several acceptable forms of identification such as a utility bill or an identification document issued by a governmental agency with the voter’s name and address or a photo ID such as a student ID card.

Are San Francisco’s provisional ballots only counted in a close race?

No, that is not the rule. Any voter whose eligibility cannot be immediately determined (for example, a voter not listed on the precinct roster), will be offered a provisional ballot. After Election Day, we review all provisional ballots cast on Election Day. If a voter is determined to be eligible and has not cast another ballot, the provisional ballot will be counted. Voters may check the status of their provisional ballots via our provisional ballot lookup tool at sfelections.org/pvlookup/ or by calling us.