DARPA-backed voting system for soldiers abroad savaged
VotingWorks, developer of the system, disputes critics' claims
An electronic voting project backed by DARPA – Uncle Sam's boffinry nerve center – to improve the process of absentee voting for American military personnel stationed abroad has been slammed by security researchers.
In February, VotingWorks, a non-profit election technology developer, showed off a prototype of an encrypted voting system. With funding support from DARPA, the project aims to make it easier for service personnel to vote in US elections when stationed outside of the United States.
According to the Federal Voting Assistance Program, about three quarters of the 1.3 million active duty military members are eligible to cast absentee ballots, but many face barriers that hinder participation in elections. The rate of election participation among those in the military was significantly lower than the rate for civilians in 2022 (26 percent v. 42 percent) – hence DARPA and VotingWorks want to help service personnel participate in the democratic process.
Their proposed system – dubbed CACvote in reference to military smart ID cards called "Common Access Cards" – consists of four elements: voting kiosks at military bases for military personnel; a computer system that receives ballots from those kiosks; a cryptographic protocol for encoding and transmitting ballots, which also get printed and mailed; and a risk-limiting audit (RLA) protocol intended to detect integrity violations (eg, hacking) that alter an election outcome, and to correct the outcome.
The latter two elements – the cryptographic protocol and the RLA – collectively are known as MERGE, which stands for Matching Electronic Results with Genuine Evidence. Paper ballots represent said evidence.
According to an analysis paper from Andrew Appel, professor of computer science at Princeton University, and Philip Stark, professor of statistics at UC Berkeley, MERGE "contains interesting ideas that are not inherently unsound" but isn't realistic given the legal, institutional, and practical changes necessary to make it work.
MERGE, they argue, offers paper ballots as a way to verify electronic votes – if and when determinative to an election outcome – without necessarily exposing the identity of the voter. So in the event of an audit, discrepancies between the electronic voting record and the paper voting record could be identified without having to match every electronic and paper ballot.
CACvote and MERGE, according to the authors, aspire to allow electronic votes to be counted immediately without having to wait around five days for the paper ballots to reach the voter's local election office by mail.
- The time for online democracy has come
- America was getting on top of its electronic voting machine security – then a wild pandemic appears
- Let white-hat hackers stick a probe in those voting machines
- Swiss electronic voting system like... wait for it, wait for it...
But the scheme, they insist, is neither necessary nor workable.
"Sending an untrustworthy electronic vote to be counted, backed up by a paper ballot that's the genuine evidence – but that will not be counted unless there is a binding recount with suitable rules – is a solution in search of a problem; it is unnecessary," assert Appel and Stark.
MERGE, they observe, makes unrealistic demands on voters to check cryptographic signatures, look up those signatures on a public bulletin board several days after casting a vote, and then check to make sure their printed paper ballot reflects their touchscreen voting voices.
"In the MERGE paper’s security analysis, the fraction of voters who do not 'follow instructions' is left unquantified; this is a serious omission, since surely if the number is extreme, it must undermine the security of the protocol," argue Appel and Stark.
The fraction of voters who do not 'follow instructions' is left unquantified; this is a serious omission
The authors go on to argue that the proposal is so misaligned with US election laws and actual practices as to be unimplementable. Specifically, they note that only five percent of voters live in three US states – Colorado, Rhode Island, and Virginia – that have binding RLA requirements for elections.
"Even in those states, the security of CACvote would depend on changes in state law to integrate its complex protocol and to require an RLA of every contest in every election, regardless of the reported margin and anticipated workload," they observe. "In any other state, CACvote can be no more secure than any other form of internet voting."
And internet voting, they maintain, is just not secure. "The consensus of election security experts is that electronically returned ballots are vulnerable to large-scale remote attacks and manipulation," the authors claim.
To illustrate this point, they cite various electronic voting systems that have been found to be insecure in Washington, DC, in Estonia, in Australia, and in Switzerland, as well as the Voatz and Democracy Live systems.
Ben Adida, executive director of VotingWorks and technical lead on the project, disputes the researcher's claims.
We do not agree with their premise
"We welcome all feedback on the CACvote research project – that's exactly what open and transparent research is about," he told The Register. "That said, we think critiques of CACvote should be based on the research itself, not on imagined alternatives.
"We do not agree with their premise. Their paper implies that if you take away the paper-based security measures we specify, then bad things can happen. Well, of course. The same can be said of in-person hand-marked paper-based elections. If you don't run a post-election audit on those elections, then they are also vulnerable to a pure software attack.
"There is, today, a significant move towards actual internet voting for military voters. We think that's a bad trend. We are researching CACvote precisely so we can provide a practical alternative to internet voting that maintains an auditable voter-verifiable paper ballot. We do not support, under any circumstance, removing the auditable voter-verifiable paper ballot portion of our design."
DARPA did not immediately respond to a request for comment. ®