DARPA Is Developing an Open-Source Voting System

This sounds like a good development:

...a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.

The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don't have to blindly trust that the machines and election officials delivered correct results.

But DARPA and Galois won't be asking people to blindly trust that their voting systems are secure -- as voting machine vendors currently do. Instead they'll be publishing source code for the software online and bring prototypes of the systems to the Def Con Voting Village this summer and next, so that hackers and researchers will be able to freely examine the systems themselves and conduct penetration tests to gauge their security. They'll also be working with a number of university teams over the next year to have them examine the systems in formal test environments.

Posted on March 14, 2019 at 1:20 PM • 36 Comments

Comments

David RudlingMarch 14, 2019 1:31 PM

I like the sound of the hardware for this system. Now if someone can write a secure general operating system to run on it this could be "the next big thing" in computing.

CMarch 14, 2019 2:02 PM

Thanks for highlighting this. It's great that DARPA is using military funding for research with important civilian applications, rather than focusing strictly on purely-military applications.

albertMarch 14, 2019 2:03 PM

@David,
"...I like the sound of the hardware for this system...."
Indeed.

"...Now if someone can write a secure general operating system to run on it this could be "the next big thing" in computing...."

You're not a man of small "ifs" are you?

As the article points out, the new system is a proof of concept system.

"...The systems Galois designs won’t be available for sale. But the prototypes it creates will be available for existing voting machine vendors or others to freely adopt and customize..."

Aye, there's the rub.
. .. . .. --- ....

VinnyGMarch 14, 2019 2:04 PM

"Open source" is the only attribute that gives me any confidence at all in the integrity of this project. Hopefully, that doesn't turn out to be "open source, with exceptions" or "open source, written so only a half-dozen people in the world are capable of reading and understanding it." However, even if this project should produce a voting system that exhibits demonstrably perfect integrity and auditability, there would remain a significant hurdle to overcome. In the US, popular voting, and administration of same, is the exclusive province of the individual states, not the federal government. If the federal government wanted the system that results from this project to be utilized for casting and counting the popular vote, it would have two options: persuasion; or a change of law. The former would require that the federal government cultivate a level of trust from the states that (at least in many cases) it does not presently enjoy; the latter would appear to require a Constitutional Amendment.

albertMarch 14, 2019 2:10 PM

@Mace,

Are these standalone systems, or do they run on standard operating systems and/or hardware?

. .. . .. --- ....

Mace MonetaMarch 14, 2019 2:26 PM

@albert These are OS agnostic, supporting major platforms. If you want to add creating a national scale OS backend, you'll need to add at least a decade to development. Linux is 28 years old, and counting.

David RudlingMarch 14, 2019 3:04 PM

@Albert
The tongue was in cheek. You and I both agree that whether the next big thing in computing is, as Hamlet would say "To be or not to be" his own answer and ours is "Aye, there's the rub" - so not to be.

1&1~=UmmMarch 14, 2019 3:22 PM

@David Rudling:

"Now if someone can write a secure general operating system to run on it this could be "the next big thing" in computing."

Not likely to happen of the 'pick three' of 'usable', 'general purpose', 'fast' and 'secure' guess which one is going to be the odd one out, first time to last time?

However that's not the real problem, which is, in the reality of a commercial market --which is what it will become on the camel principle-- you will get an aproximation to one only and marketing makes the choice not the market.

Oh and as for the rest of the options, well they don't even get the 'putting lipstick on a sleeping Rottweiler' level of attention in a commercial environment.

If you think about it President Trump's 300lb keyboard thumpers in their parents back bedrooms are currently our best hope for privacy in computing...

If you are not sure why have a look at the two number one open source browsers. Go through their hidden from ordinary users options and settings. Could they be set up any further to favour the data collectors? Probably not. Tim B-L can go one about his vision but the reality is with HTML5 the W3C sided with the big data collectors. They did this knowing full well which side their bread is buttered, as for Tim B-L they treat him like that awkward uncle that comes to Xmass lunch, they nod politly and look at the clock to see how long before his ride home is due. Having first made sure his coat is the one on top, thus quickest to get at.

FaustusMarch 14, 2019 4:50 PM

This is the first good idea government has had in years.

Additionally, I really think that people should be able to check that their vote was registered correctly. I wonder if there is a tricky zero knowledge proof construction that would enable someone to prove to themselves that their vote is registered correctly while still being unable to prove to others how they voted (to avoid enabling vote selling).

Why should anybody believe their vote is registered correctly if they can't verify it? Nobody can audit that the whole system is in fact the open source they are given. However open source does enable crowd sourced security audits so it remains a good thing.

SfanMarch 14, 2019 4:51 PM

FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015. Poll results were manually counted and verified by EC officials and party scrutiners. It was rare that any single riding took longer than an hour to declare a winner. Of course everything was auditable. And kinda hard to hack.

The last election saw our first use of voting machines. The results were unnoticeablly faster. As far as I can tell, the reason was not much more than "all the cool countries are doing it".

Another MouseMarch 14, 2019 5:28 PM

If swiss post cant solve secure online voting then how the darpa thinks they will be able to make the trick?!

*LMAO*

gordoMarch 14, 2019 5:36 PM

@The handle formerly known as, err, I mean;
@1&1~=Umm,

Yes, the last thing that the big data collectors want from T-BL or anyone else is for everyone to be their own data aggregator/broker. Oh, and as it regards voting systems, they're simply methods of choosing, in many ways no different from making a purchase, hailing a cab, participating in a data commons, etc. The hoarding and herding of the big data collectors is diametrically opposed to such ventures, i.e., to individual lives, liberties and pursuits of happiness.

PJMarch 14, 2019 7:00 PM

First good idea the government has had in years?

I recommend Michael Lewis's book The Fifth Risk to disabuse yourself of this kind of thinking. There are many smart and dedicated people working for the US govt and their contributions are enormous, and they have good ideas all the time.

SamIamMarch 14, 2019 7:48 PM

This open source approach doesn't work when your opponents are heavily funded nation states like Russia and China. They can find zero day flaws in open source systems. Then you don't find out about the flaw till the election, if then.

EarnestMarch 14, 2019 8:19 PM

Sfan, Elections Canada might have introduced those machines to reduce the amount of labour required. Apparently the City of Ottawa, at least, has had some trouble getting people to run the municipal polls; before the last election, they were recruiting at city events and offering money.

(BTW, the Elections Canada building on Coventry Road had a very good tour during Doors Open last June. If they offer it again, readers in the area should check it out. They still have all the ballots from the last election, and they discussed election security—ballot paper, sealed bags, etc., but I don't recall much discussion of voting computers.)

BillikinMarch 14, 2019 9:37 PM

As far as US Federal elections are concerned, although states in the US regulate their own elections, Congress may also regulate such elections, and alter state regulations. It could therefore require states that use electronic voting machines to meet certain standards, or to use open source software or hardware.

1&1~=UmmMarch 15, 2019 1:06 AM

@Faustus:

"I wonder if there is a tricky zero knowledge proof construction that would enable someone to prove to themselves that their vote is registered correctly while still being unable to prove to others how they voted (to avoid enabling vote selling)."

The weasel wotds there are, 'registered correctly'.

The criteria are, after the voter

1, The vote was cast.
2, The voter is alowed to vote.
3, The vote was tallied.
4, The vote was assigned correctly
5, The vote was only counted once.
6, The same is true for all votes.

Whilst you can do 1 above all that shows is that in some log somewhere is the fact you entered your credentials to make your vote.

From step 2 onwards you have the issue of tracability to the actual user and vote made.

We have no proof that 'One Way Functions' are truly 'one way', further like passwords they are compleatly susceptible to 'dictionary attacks' via the likes of Rainbow Tables. So the question arises of how do you in effect get a unique primary key for the users vote(s) that is fully tracable to the voter but is not tracable to anyone else?

With passwords a simple salt can be used but it is directly tracable to the user identifier --account name-- for it to work.

The system needs the user identifier for step 2 to remove 'ghost votes' from being used to attack the system. For the same reason it's needed for steps 5 and 6.

People forget with paper votes the ballot papers can be easily made tracable to a user identifier and this has been done in the past, by regimes looking to verify loyalty or dissent in the citizens. It's not just 'vote buying' type influence you have to worry about.

You need tracability of some form not just to prove to the individual voter their vote went into the system but that it only went to the correct candidate. An easy attack would be various forms of double counting. Your vote could be added to your choice but also to one or more other candidates you did not chose thus in effect nullifying it in the final totals.

It's a difficult problem because you also need tracability on all other cast votes as well to not just stop count attacks but to show they can not have happened to other voters and election officials etc.

1&1~=UmmMarch 15, 2019 1:25 AM

@gordo:

"The hoarding and herding of the big data collectors is diametrically opposed to such ventures, i.e., to individual lives, liberties and pursuits of happiness."

Yes history shows what can happen when a regime knows from hidden serial numbers on voting papers what can and has happened.

I'm guessing there are a number of tyrants and dictators who would not care about Type I and Type II errors when getting data from big data collectors on voters assumed political prefrences.

We know there is a market for it as untill it got properly publicly known 'Cambridge Analytica', Peter Tiel and Mark Zuckerberg made quite a large amount of money from such tyrants and dictators. I'm assuming as a business model it's not going to go away, just become more covert.

WeatherMarch 15, 2019 1:28 AM

I think that if the system understand you, say you say your from Texas and the post mail develop a message use this key, you use two parts, asm if the counting system runs it ,it makes X, but the voter can run it locally with inverse, but that can just verifier it runs and would be loaded, not what the data is.
Data
Information
Executions

John MoserMarch 15, 2019 8:20 AM

No good. Don't plug the damned things into the Internet; and you have to prove the security of the system to the voter.

That means you need Universal Verifiability, not verifiability by your corrupt electoral board who could publish overlapping votes (you, me, and Bruce all vote the same, so we all get the same confirmation number, and we're not supposed to share that info). These schemes about providing a way to prove your vote to yourself but not use the receipt to prove it to someone else mean nobody can go through the vote list and truly prove that their vote was recorded correctly (the document you have proves a vote like yours exists).

Their whole approach shows a lack of understanding of the problem. Voting machines need to exist for about ten hours. They don't need security; they need to be inaccessible. Remove the attack surface. Do not plug the voting machine into networks. Do not equip them with wireless hardware. Prove the state of the machine when the voting day starts, then prove the ballots when it ends, without a chance to tamper in the middle. Ballot traceability.

I've worked on standards for this because the insider threat is the threat in elections.

I've worked on standards for electronic voting both because the current standards are broken and because I've developed the flaws in plurality, majority-runoff, and instant runoff voting into exploits. It's relatively-easy to manipulate the vote rules. Tideman's Alternative resists attack; yet ranked voting rules are also difficult to prove: the amount of information grows hyperlinearly, and you need a computer to produce proof that a ballot set is exactly identical to a previously-observed ballot set.

In other words: we can hack elections before we even get to the ballots.

Besides, people have a fixation with a paper audit trail that isn't even an audit trail. With VVPAT and POD, you can print ballots on demand. The authority holding the ballots in "secure" storage has full control of the audit trail and can tamper with the data—there's no message authentication and no history. We question the counts we were given (history) and re-count, thus the ballot contents override any checks and balances (thank you David Dill, Computer Scientist and not a freaking information security expert, for that effort).

HR1 even establishes universal vote-by-mail (307(a)), because black box elections are great! People defend this by talking about how secure USPS is and how they can track their ballot up to the office. Yeah, well, can you track what the office is doing with your ballot? Did they steam it open and POD a duplicate? Did they tamper with the signature verification device? Does that device even work?

Just threw out all electoral security there. Thanks for that!

This is how democracy dies: with thunderous applause.

RichardMarch 15, 2019 8:58 AM

Sfan and Earnest - In response to Sfan's statement "FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015."

Elections Canada runs federal elections only, and continues to use hand-marked paper ballots that are hand counted. See e.g. https://twitter.com/ElectionsCan_E/status/1105136418639233024

You might be confusing Elections Canada with Elections ONTARIO, which has recently switched from hand-counted ballots to vote counting computers for provincial elections. With, I might add, zero provision for risk-limiting audits.

Municipal elections in Ontario, which are governed by provincial election law, use a mix of vote counting computers (as in the City of Ottawa) and completely unregulated Internet voting. Internet voting run by third-party for-profit companies with zero public availability of source code, zero public security testing, and no legislative provisions for either.

FaustusMarch 15, 2019 9:27 AM

@ PJ

I took a look on Amazon at The Fifth Risk. Michael Lewis's argument seems to be that there are smart people in government. I am not denying that. But there is little they can do if they have to work through politics.

I have to note that you didn't actual mention any great things the government is doing in your response. Things like weather reports are nice, but hardly need a government to do them. Important things that the government used to take lead on like space travel and alternative energy (and probably solving global warming) are now done by the private sector. The US used to be involved in advanced theoretical physics, but now we let the Europeans do it.

Basically the US government kills people and imprisons people and does vanishing little of worth any more. Politicians loot the US Treasury while making sure only a few benefit.

I used to be disturbed that we are turning into a corporate led world. But at least corporations have to be competent enough to make money or at least convince people they will in the near future. The US government can go on providing minor benefits and major expenses indefinitely.

We should strip it back to the Constitution and the Bill of Rights and start over. We can put our current leaders in Guantanamo, because it is about time they had a taste of their own medicine.

1&1~=UmmMarch 15, 2019 3:41 PM

@ALL:

For those who might want to know a little more about Prof David Dill's view point,

https://engineering.stanford.edu/magazine/article/david-dill-why-online-voting-danger-democracy

But in general most people fail to understand the electrol process even at it's most simple. So many people think the casting of the vote is what it is all about. Hence they invent in their minds easy models to do this on some 'new neat tech', forgetting the before and after processes which is where fraud is most likely.

As I've noted above the most significant threat with the actual casting of the vote is to the voter from those seaking to influence it or use the cast vote against the voter in some tyranical manner. Thus it is the only part of the system where secrecy is desirable. Both the before and after processes should be as transparent, verifiable an auditable as possible, none of which should in any way involve secrecy.

Thus the real problem is how to have secrecy for the actual casting of the vote and maintain it for the protection of the voter, but then have full tracability and auditability not just for each individual voter to check, but the candidates and ultimately the judiciary...

The person who comes up with a fool proof method for that little trick will like the alleged builder of the better mouse trap have many people beat a path to their door. Unfortunatly it is unlikely to be to heap riches and honors on them, it's more likely to beat rather more than a path...

This is something I've not heard people talking about much, primarily because many think it's either impossible or decidedly undesirable.

Why is it undesirable, well in general those who cast votes are not actually taking part in a democratic process they are in fact taking part in a beauty pagent for 'best looking chimp for the tea party'. Where all the monkeys running as contestants have been prior selected based on their fealty to 'sponsers' who in effect buy the legislation they want in return. The last thing such 'sponsors' want is for a self funding thus not beholdent to them rank outsider candidate they did not chose to get in on some kind of popularist vote, it would be most undesirable for them. Thus they want the most insecure systems they can get all along the voting process so they have the opportunity to put the thumb on the scale in some way.

The thing about computers be they for deciding who can vote, how votes are recorded, how they are tallied, and the result issued, is they are not just black boxes with no transparency, all the data they hold is fully mutable and much of it totally transitory thus they are not realy auditable either. Which is realy ideal for 'sponsors' looking to ensure their investment is not wasted.

Oh and before people start talking about 'block chain' solitions, remember a block chains only security is the multiple ledgers held by independent entities. That little unsolved secrecy to transparency problem that stops voters being persecuted stops those ledgers being held by independent entities.

Anna Nimity ImportantMarch 16, 2019 4:52 AM

@John Moser

These schemes about providing a way to prove your vote to yourself but not use the receipt to prove it to someone else mean nobody can go through the vote list and truly prove that their vote was recorded correctly

The relevant threat surface is organized criminals buying or coercing votes. People seem to have cast that concern aside as mail-in votes curiously mushroomed from people who had physical inabilities to vote behind the privacy curtains, to now an entirely significant fraction of the population. WCPGW...

albertMarch 16, 2019 3:56 PM

@John Moser,

Leaving aside the various non-tech methods for vote tampering, in the world of computers, convenience trumps security every time.

Salesman: "Look! It's hooked up to the Internet! You can monitor the results without violating the voters secrecy."

Eliminating Internet connections (I would include on-site LANs as well) also eliminates having to use commercial swiss cheese OSs and COTS hardware. No USB ports. No Internet ports.

I don't have suggestions for collating the results, but you may.

My argument is simply this, any chain is only as strong as its weakest link (a banal truism). Once you add an insecure link, everything else, no matter how secure, is a waste of time and money.

. .. . .. --- ....

JesseMarch 16, 2019 6:02 PM

The biggest issue I see with a project like this is that it feels like a bunch of researchers having fun building a toy secure voting system. While there is nothing wrong with that, the research project built on top of research, non-production, "secure CPUs" is an incredibly long way away from a system ready to be used in elections.

This sort of research is great, and I hope they are successful in this, but it will take others, with some pretty deep pockets to come along behind them and ready this for production. The other challenge with a lot of the research in voting systems is that, I think it focuses too much on making the math work and "provable systems". These are good and important but what people doing this research miss is that 1) vendors and operators can't get the easy stuff right today and 2) while secure systems are incredibly important, perception is super important - people need to believe these systems are secure, and all the math in the world won't convince most voters one way or the other. This second point makes some of the fancier math focused approaches less valuable.

Given the state of election security, it seems like there are other areas that might more practical to invest energy (like banning voting machines from being on the internet, and requiring paper audit records to be generated, used, and retained). That kind of work wouldn't show off the new DARPA CPUs though.

Also, it is notable that some states do, in fact, already ban voting systems from being connected in any way to the internet or other telecommunications infrastructure.

VinnyGMarch 17, 2019 1:05 PM

@Billikin re: "Congress may also regulate such elections, and alter state regulations." I believe that assertion to be entirely false. My original analysis is based on a complete reading of all provisions regarding voting in the U.S. Constitution. Do you have a citation of Federal law, regulation, or court decision precedent of any kind that in any way supports your contention? If so, please provide it.

AlejandroMarch 18, 2019 6:20 AM

Let the military develop voting machines. NSA can "help" with the code. LOL.

HermanMarch 19, 2019 4:23 AM

So, Galois wants to field a voting system...

Thank you, thank you, I'll be here all week!

MeMarch 19, 2019 8:44 AM

You say it is a good thing, and I agree.

As long as they don't declare it "secure" by fiat, regardless of what the pen-testers find.

After that, I might consider this to be secure enough for mayoral races.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.