Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA Is Building a $10 Million, Open Source, Secure Voting System (vice.com)

Posted by msmash on from the tussle-continues dept.

samleecole writes: For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven't been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.

The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don't have to blindly trust that the machines and election officials delivered correct results.

42 of 232 comments (clear)

  1. Yes...BUT, does it... by cayenne8 · · Score: 4, Interesting
    ...still keep the votes anonymous and untraceable back to the US citizen that is doing the voting?

    That is very important and didn't see that listed in there in the top level checkoff marks.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  2. Overcome by events by Anonymous Coward · · Score: 3, Interesting

    Vote by mail is growing rapidly and in many places exceeds polling place voting. VBM increases voter turnout and solves so many problems that polling place voting probably isn't worth salvaging.

    1. Re:Overcome by events by eaglesrule · · Score: 2, Informative

      Vote by mail also leaves a paper trail in the form of the ballot. I also find it very convenient to take my time researching the candidates, time that is better spent than waiting in line at a polling station. Personally delivering the ballot to the county clerk on election day also helps ensure it doesn't get 'lost'.

    2. Re:Overcome by events by MightyYar · · Score: 5, Insightful

      Vote by mail only works when things are going along quite well. We just witnessed what can happen when things do not go well in North Carolina, where the handful of mail in ballots spoiled the entire election. Vote by mail allows voter intimidation and vote buying - makes them almost trivial, in fact. People act as if "The Machine" in Chicago never happened, as if we somehow matured away from that sort of thing. No, we implemented hard-fought voting reforms that corrected the problem - some of which vote by mail now eliminates.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re:Overcome by events by 1ucius · · Score: 2

      Vote by mail also makes vote buying trivial.

    4. Re:Overcome by events by sycodon · · Score: 2

      Voting by mail has no Chain of Custody controls. None.

      You drop the envelope in the mail and it's open season on fraud from that point on.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  3. Hey DARPA.... by Anonymous Coward · · Score: 2, Interesting

    This special 'secure' open hardware: Will you actually ensure there is a reference platform available, for less than say 500 usd to the average consumer, so that we can develop on, test, diagnose, and verify this hardware ourselves, or use it to ensure the security and authenticity of our own application code?

    If not, then it is just a 10 million dollar sham. The software, even if perfectly secure by itself, is not trustworthy unless the underlying hardware is trustworthy, and the underlying hardware isn't trustworthy unless everyone can buy an example of it, ideally right off the production line, and swap/not swap their example for one of the government units, helping to ensure that the entire government run hasn't been compromised itself since they knew the start/end manufacturing serials for their own batch of units.

    Obviously they would still need to verify some number of those units to make sure they weren't backdoored (although doing it at the assembly location/warehouse on one big event day would handle it nicely. Once that step is done and the traded serials can be verified in the field, we will have almost trustworthy electronic voting. Particularly if each machine cryptographically signs its voting lists when finished, and ideally provides the voter a hash to verify their vote matches what they input while retaining their anonymity until and unless they need to contest a miscast vote.

  4. Socialist Voting Machines? by Dixie_Flatline · · Score: 3, Funny

    What's next, letting EVERY citizen vote?

    1. Re:Socialist Voting Machines? by Bryansix · · Score: 3, Funny

      Apparently Grindr was actually just a beta test for an online voting system.

  5. Desiderata verus Requirements by goombah99 · · Score: 5, Insightful

    Having studied this issue for a very long time I'm perpetually frustrated with the Computer scientists constantly injecting overly clever desiderata that can only be implemented at the sacrifice of core requirements of voting systems.
    the core requirements are
    1. Secret ballot so no one can tell how you voted.
    2. Secret ballot so you cannot prove to anyone how you voted even if you want to. (too often ignored)
    3. transparency at a level where an ordinary person can reasonably see how the security works
    4. Robust against operator errors. Mistakes happen, power gets lost, protocols are not followed.
    5. Resistant to cheating.
    6. in the event of a failure, Ballots must be re countable-- preferably at a precinct level

    What the computer scientists is inject nice-to-have but unnessassary desiderata, like "crytpographic proof your vote was counted" and encrytption. These, to date, always sacrifice one of the requirements. For example, many (not all) proof of vote systems will violate 2, allowing you to prove how you voted. indeed many touch screens allow proving how you voted using a video inside the voting booth (whereas paper ballots have to be publically deposited and videos can be prevented). Many (not all) cryptosystems reduce the number of people who know the keys but this comes at the price of concentration where a few people can change all the ballots without detection, whereas distribnuted precint counting makes whole sale attacks hard.
    Serial numbers on ballots, to the voter, appear to offer a way to track their ballot to them. Even if you tell them the cypto prevents this an ordinary person cannot possibly tell that. Ballots need to be indistinguishable.

    Thus I worry that people doing this are trying to "improve" something with "more features" that already has a good solution. namely hand marked paper ballots and optical scan.

    when an optical scanner breaks down you can still collect the ballots. People can still vote. And you don't get long lines when you are short on equipment or the power goes down because all you need is more pens and desks. Optical scans are easy to recount by humans at a precint level.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Desiderata verus Requirements by dryeo · · Score: 2

      3. transparency at a level where an ordinary person can reasonably see how the security works

      This is the part that'll never be implemented with electronic voting. Even the most perfect system will be basically a black box to the average person.
      I can watch the whole voting process here, including counting and anyone can understand how it works. I can't imagine how electronic voting can be understood by everyone no matter how good.

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
    2. Re:Desiderata verus Requirements by goombah99 · · Score: 4, Interesting

      bingo.
      When New Mexico implemented random sampled recounts they used 10 sided dice done in publicfor random precinct selection. When colorado did it, they hired eminent computer scientists to design the recount and they use a computer random number generator and all the selections is automated in the computer. No one who understands computers trusts the colorado system though admittedly it's way better than nothing. it just violates the transparency for the sake of some computer science optimality in the algorithm.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re:Desiderata verus Requirements by goombah99 · · Score: 2

      Nope. We tried that already in early american history and people used the proof mechanisms to corrupt votes. It's the whole reason we went to precint based secret ballots. And for the most part we know the system works excellently without proof of vote. So there's not even a question in anyone's mind aside form yours which is a bigger problem

      --
      Some drink at the fountain of knowledge. Others just gargle.
    4. Re:Desiderata verus Requirements by Anonymous Coward · · Score: 3, Informative

      As for votes out counting the number of registered voters you are likely misinformed. I have spent a number of years investigating cases like that. What I find in most cases is that the reports in the news media are mistaken. To give you an example, it has been the practice of some state to assign the counting of absentee ballots to certain precincts resulting in more votes than precinct members. Another way this shows up is incorrect reporting of registered voters. There are often two lists of registerd voters. There's the list of voters including those who are still elegible to vote but are pending deletion from the list because it's been many years since they voted, and the list of expected active voters which is what all the polling companies report in the news since that's what's relevant to estimating outcomes or looking for suspected foul play . Some states have same-day registration. And finally there are the new multi-precinct voting stations-- typically used in early voting-- that let people fill out and deposit the ballot in a precinct other than their own. Thus the number of voters frequently is reported as larger the precint's expected registered voter turnout. But it's nearly always this and it does not happpen "many many times" as you think.

    5. Re:Desiderata verus Requirements by jeff4747 · · Score: 2

      People aren't allowed to loiter within the polling area, so one person couldn't check many ballots. So while they could violate #2 on a handful of ballots, they wouldn't be able to do so on a scale large enough to affect the election. At least, not without a very large army of people acting as "watchers", which would make it far more likely someone would talk.

    6. Re:Desiderata verus Requirements by walterbyrd · · Score: 2

      1. Secret ballot so no one can tell how you voted.
      2. Secret ballot so you cannot prove to anyone how you voted even if you want to. (too often ignored)

      So thousands of extra votes show up after voting closed. Are they real? How do we check?

    7. Re:Desiderata verus Requirements by goombah99 · · Score: 2

      lots of ways. such as the contemporaneous digital record of ballots cast. The number of ballots cast in anyone precient will be less than that. The record both official and unoffical of the number of ballots cast. The multiple eye's on the system. the rate at which ballots can be fed into the scanner. And other less well known security features.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    8. Re:Desiderata verus Requirements by sweepkick · · Score: 2

      There's absolutely nothing stopping you from investigating this yourself, big guy. If you think this is a problem, check it out. Go do the research, ask questions, talk to Secretaries of State, get some facts. If you want to be an SJW for the Right, which clearly you do because of your sig, put your money where your mouth is and blow the lid off it. You babbling away on a tech board isn't worth anything, and certainly isn't convincing anyone.

    9. Re:Desiderata verus Requirements by No+Longer+an+AC · · Score: 2

      Seven States Still Force Prohibition-era Bans on Election Day Alcohol Sales

      I remember going to a bar after the first time I voted and was shocked to find I could NOT buy a drink to celebrate. Bars could only even open on election day if they made at least 30% of their revenue from non-alcohol sales.

      Unfortunately, corruption still exists and this happened less than a decade ago:

      Hudson Hallum further told Carter that $20 to $40 was too much to pay for one vote, but that this amount was acceptable to pay for the votes of multiple members of a household. On that same date, Hudson Hallum also told Carter, “We need to use that black limo and buy a couple of cases of some cheap vodka and whiskey to get people to vote.” Two days later, Carter and Kent Hallum spoke with an individual in Memphis, Tennessee about getting a discounted price for the purchase of 100 half pints of vodka for the campaign.

      We have mail-in ballots where I live. I like it because I can fill it out at my leisure while I carefully study the candidates and issues and then I drop it off in person. The drawback of course is that the USPS is not infallible and a rogue postal carrier could collect ballots only from those who don't vote or perhaps only vote in Presidential elections and if anyone complains about not getting a ballot? It must have gotten lost in the mail.

      I don't know if that has happened, but it's a possibility.

  6. Re:Secure voting? by Vihai · · Score: 3, Insightful

    Do you prefer $50 to vote for who I tell you or a bullet in the knee of your daughter?

  7. Re:Secure voting? by alvinrod · · Score: 3, Insightful

    It's frankly none of your or anyone else's business who someone else votes for. You don't have to look much further than the hate mob that social media has devolved into to see why this would be a terrible idea. Never mind all of the little situations like a spouse threatening their partner if they don't vote a certain way and now being able to verify that outcome.

  8. Re:Why is the department of defense by willy_me · · Score: 2, Informative

    The US wants stability (because it is more profitable) so it promotes freedom and democracy around the world. A secure voting machine sounds like exactly what is required. Without some way of maintaining a democracy after the fact, what point is there in military intervention?

    Good luck getting these machines used in the US. There is too much money pushing for existing proprietary solutions. So I think one should not assume that this system is designed solely for us. Their target will be global.

  9. Re:Why is the department of defense by chuckugly · · Score: 2

    Apparently they have an open source secure computing initiative and were casting about for a non-classified application to show off their new toys. I guess?

  10. Taking on the impossible by Albanach · · Score: 5, Interesting

    I've posted this before, but it's worth saying again.

    In the early 2000s, there was a GNU project to build a secure online voting system. They ceased work in 2002, citing the project as being at best difficult and at worst, impossible. They quoted Bruce Schneier, one of the foremost experts in computer security as saying "a secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers... [B]uilding a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it."

    I see no evidence that Schneier has changed his mind or that any other comparably qualified expert has suggested he's wrong.

    1. Re:Taking on the impossible by nuckfuts · · Score: 3, Insightful

      In the early 2000s, there was a GNU project to build a secure online voting system.

      The article has nothing to do with online voting. It is talking about more secure and verifiable systems than are currently used at polling stations.

      To cite one example from the article:

      In a voting system, this means the hardware would prevent, for example, someone entering a voting booth and slipping a malicious memory card into the system and tricking the system into recording 20 votes for one vote cast, as researchers have shown could be done with some voting systems.

    2. Re:Taking on the impossible by Attila+Dimedici · · Score: 2

      "Hey Bob....what's that angle grinder for?" "Oh, just like carrying it around" *Poll worker ignores incredibly loud racket as the hardened case is cut open*

      Why would they cut it open? They could just wait until the polling station is closed, hack into the software running the voting machine, and alter the votes recorded. Or are you not aware that the most likely people to want to modify the outcome of the vote are those running the vote counting process?

      --
      The truth is that all men having power ought to be mistrusted. James Madison
  11. real problems by Tom · · Score: 5, Insightful

    The real issue with electronic voting isn't even the hackability of the system. Or the fact that an exploit scales to an entire country. The real problem is that there's no assurance anymore. A very simple process turns into something opaque.

    For you americans who don't understand how voting is done properly in the rest of the world, it goes like this:

    You put an X in the circle or box of your choice (sometimes several X in several boxes, but nothing too complicated). Then you seal that paper in an envelope or you simply fold it. Then you drop it into a box. That box is watched over by volunteers from all the major parties and basically everyone who cares to spend his time checking that the election is done properly. These same people at the end of the day open the box and count the votes.

    At no point is anything not accounted for. At no point is there an attack vector. The whole thing is so simple that an idiot can understand it and that's the point - because it means that every idiot or non-idiot can check it and verify that all is well. Think the box has been tampered with? Go and check the box. Think the paper is special? Go and check the paper. Think some votes were thrown into the box at the beginning of the session? Check the box at the beginning, then seal it, and at the end count the number of paper slips against your very simple tally sheet of people who voted.

    There are ways to fuck with the system, of course, there always are. But the low-tech approach also means they are low-tech and can be spotted. Tell me how you'll find the kernel-level backdoor in the voting system that knows which bits to flip in-memory without leaving any traces on the disk. And the number of people capable of validating a system at such a level are low enough to be pressured or bribed.

    A highly distributed low-tech system is exactly what we want for something like elections.

    --
    Assorted stuff I do sometimes: Lemuria.org
  12. Re:Illegals voting by oldmacdonald · · Score: 3, Insightful

    1. There is very little evidence of illegals voting.
    2. How is this stealing if it's done by the states?
    3. Enfranchising citizens is bad?

  13. Re:Voter ID not relevant by Anonymous Coward · · Score: 5, Funny

    Oh, it's much, much worse. You really need to look at the big picture. It is a known fact that their chemtrails trigger enzymes they injected into your bloodstream when they vaccinated you, that turn you into a mindless drone who will vote for any candidate the deep state Ivy-league Fake News Illuminati tells you to. Our only hope is that the courageous Russian freedom fighters will oversee our elections from outside the left wing mind control zone and ensure that saviors like Trump get elected. They are trying to stop this with their "secure voting" nonsense, but it's a desperate last-ditch attempt that will surely fail.

    Or maybe they're just trying to make voting systems more resistant to tampering. But only the crazies believe that.

  14. Re:Illegals voting by oldmacdonald · · Score: 2

    States also joined with the arrangement at the time that they could keep slavery. Things change.

    Even so, it was always possible for the populous states to have a popular-vote covenant. So the small states should have known that when they ratified the constitution.

  15. Re:Blockchain by CrimsonAvenger · · Score: 2

    Whatever happened to paper ballots, anyway?

    What, you actually believe that paper ballots are secure? Apparently you've never lived in a place where, now and then, a box full of ballots is replaced with another box full of ballots. With different votes....

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"
  16. What, no "blockchain"? by drnb · · Score: 3, Funny

    You didn't mention "blockchain", no funding for you. ;-)

  17. This ain't rocket science by superdave80 · · Score: 2

    1. First machine is a touch screen. Voters make selections on screen.

    2. Once done a paper ballot with their selections is spit out, and they can visually check the ballot

    3. Second machine is a optical reader from a different vendor, and must use a different OS from the 1st machine. Paper ballot is inserted and read.

    4. Results from both machines are fed to a computer to be compared. If they match, vote goes through. If they do not match, vote is scrubbed and voter asked to try again.

    You have verification from two independent systems AND a paper ballot at the end.

    You are welcome.

    1. Re:This ain't rocket science by iggymanz · · Score: 2

      so we compromise #4 and your idea becomes just as useless as an insecure voting machine

      thanks for playing

  18. Disproportionately wide ramifications by drnb · · Score: 2

    Holy shit, SCORES? Literally DOZENS? Obviously this is a clear and present danger to our democracy! Yikes!

    Yeah, because a handful of votes at the "correct" time and place can't have disproportionately wide ramifications ... oh wait

    Now replace parent with employer, phone pics of paper ballot or paper verification for a "bonus".

    Or replace employer with a political operative paying out cash.

    Its not like these weren't problems in America's past ... oh wait.

  19. Re:Secure voting? by jeff4747 · · Score: 2

    Statistical noise.

    We literally just had to throw out an election in North Carolina over vote-buying (via paid workers tampering with absentee ballots)

    In addition, there's no reason why a law (which frankly probably already exists) couldn't prohibit vote coercion

    We know about the problem in North Carolina because people are getting charged with a crime. Didn't stop them from doing it in the first place.

    Also, there's really good evidence that this is the second election where this particular consultant did this.

    How many people vote completely randomly?

    Exceptionally few. There's no incentive to show up when you're just going to vote randomly. So you don't go out of your way to go to a polling place.

  20. Re:Secure voting? by MightyYar · · Score: 2

    Tell your abusive husband about your "law" prohibiting coercion. Tell the "volunteers" that go to the retirement home that it's illegal.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  21. Re:Elections can STILL be rigged by Actually,+I+do+RTFA · · Score: 2

    I mean, I would go for the actually legally determined example from 2018, not the rumor from 1960, personally. You know, the one in North Carolina that was so bad they are re-running the election.

    --
    Your ad here. Ask me how!
  22. Re:Why is the department of defense by Actually,+I+do+RTFA · · Score: 3, Informative

    The Department of Defense does a lot of things that are designed to promote democracy, under the theory that democratic countries just don't declare war on one another (or at least, are far less likely.) Notably, they were (are?) heavily involved in TOR.

    Also, current voting machines are a clear threat to the US,and their job is to deal with those threats.

    --
    Your ad here. Ask me how!
  23. Re:Voter ID not relevant by walterbyrd · · Score: 2

    Source?

    Evidence?

    After two years of this unbelievable extensive investigation, so you a shred of evidence to back up your absurd conspiracy theory?

  24. Its called paper by AHuxley · · Score: 2

    and witnesses to watch over the local count.
    Candidates suggest some of their own trusted witnesses, gov has a few witnesses, civil society has some witnesses.
    Then count the nations votes in front of many witnesses.
    Everything adds up as each vote is seen and counted in front of many people.
    No code, computers to vote with are needed.
    Computer systems are liked by failed nations governments that want to subtly flip votes.
    Use paper to vote and photo ID every citizen.
    Enjoy some democracy without computers and illegal immigrants voting.

    --
    Domestic spying is now "Benign Information Gathering"
  25. Re: Voter ID not relevant by TimMD909 · · Score: 4, Funny

    You're overreacting. There's a vaccine for chemtrails.