DARPA Is Building a $10 Million, Open Source, Secure Voting System

samleecole writes: For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven't been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.

The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don't have to blindly trust that the machines and election officials delivered correct results.

Desiderata verus Requirements

[goombah99]

Having studied this issue for a very long time I'm perpetually frustrated with the Computer scientists constantly injecting overly clever desiderata that can only be implemented at the sacrifice of core requirements of voting systems.
the core requirements are
1. Secret ballot so no one can tell how you voted.
2. Secret ballot so you cannot prove to anyone how you voted even if you want to. (too often ignored)
3. transparency at a level where an ordinary person can reasonably see how the security works
4. Robust against operator errors. Mistakes happen, power gets lost, protocols are not followed.
5. Resistant to cheating.
6. in the event of a failure, Ballots must be re countable-- preferably at a precinct level

What the computer scientists is inject nice-to-have but unnessassary desiderata, like "crytpographic proof your vote was counted" and encrytption. These, to date, always sacrifice one of the requirements. For example, many (not all) proof of vote systems will violate 2, allowing you to prove how you voted. indeed many touch screens allow proving how you voted using a video inside the voting booth (whereas paper ballots have to be publically deposited and videos can be prevented). Many (not all) cryptosystems reduce the number of people who know the keys but this comes at the price of concentration where a few people can change all the ballots without detection, whereas distribnuted precint counting makes whole sale attacks hard.
Serial numbers on ballots, to the voter, appear to offer a way to track their ballot to them. Even if you tell them the cypto prevents this an ordinary person cannot possibly tell that. Ballots need to be indistinguishable.

Thus I worry that people doing this are trying to "improve" something with "more features" that already has a good solution. namely hand marked paper ballots and optical scan.

when an optical scanner breaks down you can still collect the ballots. People can still vote. And you don't get long lines when you are short on equipment or the power goes down because all you need is more pens and desks. Optical scans are easy to recount by humans at a precint level.

Re:Desiderata verus Requirements

[Tom]

This. There is just everything wrong with the entire idea of digital voting. It's a bad idea and no amount of technology or cryptography will ever save it.

Re:Secure voting?

[Vihai]

Do you prefer $50 to vote for who I tell you or a bullet in the knee of your daughter?

Re:Secure voting?

[alvinrod]

It's frankly none of your or anyone else's business who someone else votes for. You don't have to look much further than the hate mob that social media has devolved into to see why this would be a terrible idea. Never mind all of the little situations like a spouse threatening their partner if they don't vote a certain way and now being able to verify that outcome.

Re:Overcome by events

[MightyYar]

Vote by mail only works when things are going along quite well. We just witnessed what can happen when things do not go well in North Carolina, where the handful of mail in ballots spoiled the entire election. Vote by mail allows voter intimidation and vote buying - makes them almost trivial, in fact. People act as if "The Machine" in Chicago never happened, as if we somehow matured away from that sort of thing. No, we implemented hard-fought voting reforms that corrected the problem - some of which vote by mail now eliminates.

real problems

[Tom]

The real issue with electronic voting isn't even the hackability of the system. Or the fact that an exploit scales to an entire country. The real problem is that there's no assurance anymore. A very simple process turns into something opaque.

For you americans who don't understand how voting is done properly in the rest of the world, it goes like this:

You put an X in the circle or box of your choice (sometimes several X in several boxes, but nothing too complicated). Then you seal that paper in an envelope or you simply fold it. Then you drop it into a box. That box is watched over by volunteers from all the major parties and basically everyone who cares to spend his time checking that the election is done properly. These same people at the end of the day open the box and count the votes.

At no point is anything not accounted for. At no point is there an attack vector. The whole thing is so simple that an idiot can understand it and that's the point - because it means that every idiot or non-idiot can check it and verify that all is well. Think the box has been tampered with? Go and check the box. Think the paper is special? Go and check the paper. Think some votes were thrown into the box at the beginning of the session? Check the box at the beginning, then seal it, and at the end count the number of paper slips against your very simple tally sheet of people who voted.

There are ways to fuck with the system, of course, there always are. But the low-tech approach also means they are low-tech and can be spotted. Tell me how you'll find the kernel-level backdoor in the voting system that knows which bits to flip in-memory without leaving any traces on the disk. And the number of people capable of validating a system at such a level are low enough to be pressured or bribed.

A highly distributed low-tech system is exactly what we want for something like elections.

Re:Illegals voting

[oldmacdonald]

1. There is very little evidence of illegals voting.
2. How is this stealing if it's done by the states?
3. Enfranchising citizens is bad?

Re:Taking on the impossible

[nuckfuts]

In the early 2000s, there was a GNU project to build a secure online voting system.

The article has nothing to do with online voting. It is talking about more secure and verifiable systems than are currently used at polling stations.

To cite one example from the article:

In a voting system, this means the hardware would prevent, for example, someone entering a voting booth and slipping a malicious memory card into the system and tricking the system into recording 20 votes for one vote cast, as researchers have shown could be done with some voting systems.