DARPA Is Developing an Open-Source Voting System

This sounds like a good development:

…a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.

The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.

But DARPA and Galois won’t be asking people to blindly trust that their voting systems are secure—as voting machine vendors currently do. Instead they’ll be publishing source code for the software online and bring prototypes of the systems to the Def Con Voting Village this summer and next, so that hackers and researchers will be able to freely examine the systems themselves and conduct penetration tests to gauge their security. They’ll also be working with a number of university teams over the next year to have them examine the systems in formal test environments.

Tags: , , ,

Posted on March 14, 2019 at 1:20 PM41 Comments

Comments

David Rudling March 14, 2019 1:31 PM

I like the sound of the hardware for this system. Now if someone can write a secure general operating system to run on it this could be “the next big thing” in computing.

C March 14, 2019 2:02 PM

Thanks for highlighting this. It’s great that DARPA is using military funding for research with important civilian applications, rather than focusing strictly on purely-military applications.

albert March 14, 2019 2:03 PM

@David,
“…I like the sound of the hardware for this system….”
Indeed.

“…Now if someone can write a secure general operating system to run on it this could be “the next big thing” in computing….”

You’re not a man of small “ifs” are you?

As the article points out, the new system is a proof of concept system.

“…The systems Galois designs won’t be available for sale. But the prototypes it creates will be available for existing voting machine vendors or others to freely adopt and customize…”

Aye, there’s the rub.
. .. . .. — ….

VinnyG March 14, 2019 2:04 PM

“Open source” is the only attribute that gives me any confidence at all in the integrity of this project. Hopefully, that doesn’t turn out to be “open source, with exceptions” or “open source, written so only a half-dozen people in the world are capable of reading and understanding it.” However, even if this project should produce a voting system that exhibits demonstrably perfect integrity and auditability, there would remain a significant hurdle to overcome. In the US, popular voting, and administration of same, is the exclusive province of the individual states, not the federal government. If the federal government wanted the system that results from this project to be utilized for casting and counting the popular vote, it would have two options: persuasion; or a change of law. The former would require that the federal government cultivate a level of trust from the states that (at least in many cases) it does not presently enjoy; the latter would appear to require a Constitutional Amendment.

albert March 14, 2019 2:10 PM

@Mace,

Are these standalone systems, or do they run on standard operating systems and/or hardware?

. .. . .. — ….

Mace Moneta March 14, 2019 2:26 PM

@albert These are OS agnostic, supporting major platforms. If you want to add creating a national scale OS backend, you’ll need to add at least a decade to development. Linux is 28 years old, and counting.

David Rudling March 14, 2019 3:04 PM

@Albert
The tongue was in cheek. You and I both agree that whether the next big thing in computing is, as Hamlet would say “To be or not to be” his own answer and ours is “Aye, there’s the rub” – so not to be.

1&1~=Umm March 14, 2019 3:22 PM

@David Rudling:

“Now if someone can write a secure general operating system to run on it this could be “the next big thing” in computing.”

Not likely to happen of the ‘pick three’ of ‘usable’, ‘general purpose’, ‘fast’ and ‘secure’ guess which one is going to be the odd one out, first time to last time?

However that’s not the real problem, which is, in the reality of a commercial market –which is what it will become on the camel principle– you will get an aproximation to one only and marketing makes the choice not the market.

Oh and as for the rest of the options, well they don’t even get the ‘putting lipstick on a sleeping Rottweiler’ level of attention in a commercial environment.

If you think about it President Trump’s 300lb keyboard thumpers in their parents back bedrooms are currently our best hope for privacy in computing…

If you are not sure why have a look at the two number one open source browsers. Go through their hidden from ordinary users options and settings. Could they be set up any further to favour the data collectors? Probably not. Tim B-L can go one about his vision but the reality is with HTML5 the W3C sided with the big data collectors. They did this knowing full well which side their bread is buttered, as for Tim B-L they treat him like that awkward uncle that comes to Xmass lunch, they nod politly and look at the clock to see how long before his ride home is due. Having first made sure his coat is the one on top, thus quickest to get at.

Faustus March 14, 2019 4:50 PM

This is the first good idea government has had in years.

Additionally, I really think that people should be able to check that their vote was registered correctly. I wonder if there is a tricky zero knowledge proof construction that would enable someone to prove to themselves that their vote is registered correctly while still being unable to prove to others how they voted (to avoid enabling vote selling).

Why should anybody believe their vote is registered correctly if they can’t verify it? Nobody can audit that the whole system is in fact the open source they are given. However open source does enable crowd sourced security audits so it remains a good thing.

Sfan March 14, 2019 4:51 PM

FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015. Poll results were manually counted and verified by EC officials and party scrutiners. It was rare that any single riding took longer than an hour to declare a winner. Of course everything was auditable. And kinda hard to hack.

The last election saw our first use of voting machines. The results were unnoticeablly faster. As far as I can tell, the reason was not much more than “all the cool countries are doing it”.

Another Mouse March 14, 2019 5:28 PM

If swiss post cant solve secure online voting then how the darpa thinks they will be able to make the trick?!

LMAO

gordo March 14, 2019 5:36 PM

@The handle formerly known as, err, I mean;
@1&1~=Umm,

Yes, the last thing that the big data collectors want from T-BL or anyone else is for everyone to be their own data aggregator/broker. Oh, and as it regards voting systems, they’re simply methods of choosing, in many ways no different from making a purchase, hailing a cab, participating in a data commons, etc. The hoarding and herding of the big data collectors is diametrically opposed to such ventures, i.e., to individual lives, liberties and pursuits of happiness.

PJ March 14, 2019 7:00 PM

First good idea the government has had in years?

I recommend Michael Lewis’s book The Fifth Risk to disabuse yourself of this kind of thinking. There are many smart and dedicated people working for the US govt and their contributions are enormous, and they have good ideas all the time.

SamIam March 14, 2019 7:48 PM

This open source approach doesn’t work when your opponents are heavily funded nation states like Russia and China. They can find zero day flaws in open source systems. Then you don’t find out about the flaw till the election, if then.

Earnest March 14, 2019 8:19 PM

Sfan, Elections Canada might have introduced those machines to reduce the amount of labour required. Apparently the City of Ottawa, at least, has had some trouble getting people to run the municipal polls; before the last election, they were recruiting at city events and offering money.

(BTW, the Elections Canada building on Coventry Road had a very good tour during Doors Open last June. If they offer it again, readers in the area should check it out. They still have all the ballots from the last election, and they discussed election security—ballot paper, sealed bags, etc., but I don’t recall much discussion of voting computers.)

Billikin March 14, 2019 9:37 PM

As far as US Federal elections are concerned, although states in the US regulate their own elections, Congress may also regulate such elections, and alter state regulations. It could therefore require states that use electronic voting machines to meet certain standards, or to use open source software or hardware.

1&1~=Umm March 15, 2019 1:06 AM

@Faustus:

“I wonder if there is a tricky zero knowledge proof construction that would enable someone to prove to themselves that their vote is registered correctly while still being unable to prove to others how they voted (to avoid enabling vote selling).”

The weasel wotds there are, ‘registered correctly’.

The criteria are, after the voter

1, The vote was cast.
2, The voter is alowed to vote.
3, The vote was tallied.
4, The vote was assigned correctly
5, The vote was only counted once.
6, The same is true for all votes.

Whilst you can do 1 above all that shows is that in some log somewhere is the fact you entered your credentials to make your vote.

From step 2 onwards you have the issue of tracability to the actual user and vote made.

We have no proof that ‘One Way Functions’ are truly ‘one way’, further like passwords they are compleatly susceptible to ‘dictionary attacks’ via the likes of Rainbow Tables. So the question arises of how do you in effect get a unique primary key for the users vote(s) that is fully tracable to the voter but is not tracable to anyone else?

With passwords a simple salt can be used but it is directly tracable to the user identifier –account name– for it to work.

The system needs the user identifier for step 2 to remove ‘ghost votes’ from being used to attack the system. For the same reason it’s needed for steps 5 and 6.

People forget with paper votes the ballot papers can be easily made tracable to a user identifier and this has been done in the past, by regimes looking to verify loyalty or dissent in the citizens. It’s not just ‘vote buying’ type influence you have to worry about.

You need tracability of some form not just to prove to the individual voter their vote went into the system but that it only went to the correct candidate. An easy attack would be various forms of double counting. Your vote could be added to your choice but also to one or more other candidates you did not chose thus in effect nullifying it in the final totals.

It’s a difficult problem because you also need tracability on all other cast votes as well to not just stop count attacks but to show they can not have happened to other voters and election officials etc.

1&1~=Umm March 15, 2019 1:25 AM

@gordo:

“The hoarding and herding of the big data collectors is diametrically opposed to such ventures, i.e., to individual lives, liberties and pursuits of happiness.”

Yes history shows what can happen when a regime knows from hidden serial numbers on voting papers what can and has happened.

I’m guessing there are a number of tyrants and dictators who would not care about Type I and Type II errors when getting data from big data collectors on voters assumed political prefrences.

We know there is a market for it as untill it got properly publicly known ‘Cambridge Analytica’, Peter Tiel and Mark Zuckerberg made quite a large amount of money from such tyrants and dictators. I’m assuming as a business model it’s not going to go away, just become more covert.

Weather March 15, 2019 1:28 AM

I think that if the system understand you, say you say your from Texas and the post mail develop a message use this key, you use two parts, asm if the counting system runs it ,it makes X, but the voter can run it locally with inverse, but that can just verifier it runs and would be loaded, not what the data is.
Data
Information
Executions

John Moser March 15, 2019 8:20 AM

No good. Don’t plug the damned things into the Internet; and you have to prove the security of the system to the voter.

That means you need Universal Verifiability, not verifiability by your corrupt electoral board who could publish overlapping votes (you, me, and Bruce all vote the same, so we all get the same confirmation number, and we’re not supposed to share that info). These schemes about providing a way to prove your vote to yourself but not use the receipt to prove it to someone else mean nobody can go through the vote list and truly prove that their vote was recorded correctly (the document you have proves a vote like yours exists).

Their whole approach shows a lack of understanding of the problem. Voting machines need to exist for about ten hours. They don’t need security; they need to be inaccessible. Remove the attack surface. Do not plug the voting machine into networks. Do not equip them with wireless hardware. Prove the state of the machine when the voting day starts, then prove the ballots when it ends, without a chance to tamper in the middle. Ballot traceability.

I’ve worked on standards for this because the insider threat is the threat in elections.

I’ve worked on standards for electronic voting both because the current standards are broken and because I’ve developed the flaws in plurality, majority-runoff, and instant runoff voting into exploits. It’s relatively-easy to manipulate the vote rules. Tideman’s Alternative resists attack; yet ranked voting rules are also difficult to prove: the amount of information grows hyperlinearly, and you need a computer to produce proof that a ballot set is exactly identical to a previously-observed ballot set.

In other words: we can hack elections before we even get to the ballots.

Besides, people have a fixation with a paper audit trail that isn’t even an audit trail. With VVPAT and POD, you can print ballots on demand. The authority holding the ballots in “secure” storage has full control of the audit trail and can tamper with the data—there’s no message authentication and no history. We question the counts we were given (history) and re-count, thus the ballot contents override any checks and balances (thank you David Dill, Computer Scientist and not a freaking information security expert, for that effort).

HR1 even establishes universal vote-by-mail (307(a)), because black box elections are great! People defend this by talking about how secure USPS is and how they can track their ballot up to the office. Yeah, well, can you track what the office is doing with your ballot? Did they steam it open and POD a duplicate? Did they tamper with the signature verification device? Does that device even work?

Just threw out all electoral security there. Thanks for that!

This is how democracy dies: with thunderous applause.

Richard March 15, 2019 8:58 AM

Sfan and Earnest – In response to Sfan’s statement “FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015.”

Elections Canada runs federal elections only, and continues to use hand-marked paper ballots that are hand counted. See e.g. https://twitter.com/ElectionsCan_E/status/1105136418639233024

You might be confusing Elections Canada with Elections ONTARIO, which has recently switched from hand-counted ballots to vote counting computers for provincial elections. With, I might add, zero provision for risk-limiting audits.

Municipal elections in Ontario, which are governed by provincial election law, use a mix of vote counting computers (as in the City of Ottawa) and completely unregulated Internet voting. Internet voting run by third-party for-profit companies with zero public availability of source code, zero public security testing, and no legislative provisions for either.

Faustus March 15, 2019 9:27 AM

@ PJ

I took a look on Amazon at The Fifth Risk. Michael Lewis’s argument seems to be that there are smart people in government. I am not denying that. But there is little they can do if they have to work through politics.

I have to note that you didn’t actual mention any great things the government is doing in your response. Things like weather reports are nice, but hardly need a government to do them. Important things that the government used to take lead on like space travel and alternative energy (and probably solving global warming) are now done by the private sector. The US used to be involved in advanced theoretical physics, but now we let the Europeans do it.

Basically the US government kills people and imprisons people and does vanishing little of worth any more. Politicians loot the US Treasury while making sure only a few benefit.

I used to be disturbed that we are turning into a corporate led world. But at least corporations have to be competent enough to make money or at least convince people they will in the near future. The US government can go on providing minor benefits and major expenses indefinitely.

We should strip it back to the Constitution and the Bill of Rights and start over. We can put our current leaders in Guantanamo, because it is about time they had a taste of their own medicine.

1&1~=Umm March 15, 2019 3:41 PM

@ALL:

For those who might want to know a little more about Prof David Dill’s view point,

https://engineering.stanford.edu/magazine/article/david-dill-why-online-voting-danger-democracy

But in general most people fail to understand the electrol process even at it’s most simple. So many people think the casting of the vote is what it is all about. Hence they invent in their minds easy models to do this on some ‘new neat tech’, forgetting the before and after processes which is where fraud is most likely.

As I’ve noted above the most significant threat with the actual casting of the vote is to the voter from those seaking to influence it or use the cast vote against the voter in some tyranical manner. Thus it is the only part of the system where secrecy is desirable. Both the before and after processes should be as transparent, verifiable an auditable as possible, none of which should in any way involve secrecy.

Thus the real problem is how to have secrecy for the actual casting of the vote and maintain it for the protection of the voter, but then have full tracability and auditability not just for each individual voter to check, but the candidates and ultimately the judiciary…

The person who comes up with a fool proof method for that little trick will like the alleged builder of the better mouse trap have many people beat a path to their door. Unfortunatly it is unlikely to be to heap riches and honors on them, it’s more likely to beat rather more than a path…

This is something I’ve not heard people talking about much, primarily because many think it’s either impossible or decidedly undesirable.

Why is it undesirable, well in general those who cast votes are not actually taking part in a democratic process they are in fact taking part in a beauty pagent for ‘best looking chimp for the tea party’. Where all the monkeys running as contestants have been prior selected based on their fealty to ‘sponsers’ who in effect buy the legislation they want in return. The last thing such ‘sponsors’ want is for a self funding thus not beholdent to them rank outsider candidate they did not chose to get in on some kind of popularist vote, it would be most undesirable for them. Thus they want the most insecure systems they can get all along the voting process so they have the opportunity to put the thumb on the scale in some way.

The thing about computers be they for deciding who can vote, how votes are recorded, how they are tallied, and the result issued, is they are not just black boxes with no transparency, all the data they hold is fully mutable and much of it totally transitory thus they are not realy auditable either. Which is realy ideal for ‘sponsors’ looking to ensure their investment is not wasted.

Oh and before people start talking about ‘block chain’ solitions, remember a block chains only security is the multiple ledgers held by independent entities. That little unsolved secrecy to transparency problem that stops voters being persecuted stops those ledgers being held by independent entities.

Anna Nimity Important March 16, 2019 4:52 AM

@John Moser

These schemes about providing a way to prove your vote to yourself but not use the receipt to prove it to someone else mean nobody can go through the vote list and truly prove that their vote was recorded correctly

The relevant threat surface is organized criminals buying or coercing votes. People seem to have cast that concern aside as mail-in votes curiously mushroomed from people who had physical inabilities to vote behind the privacy curtains, to now an entirely significant fraction of the population. WCPGW…

albert March 16, 2019 3:56 PM

@John Moser,

Leaving aside the various non-tech methods for vote tampering, in the world of computers, convenience trumps security every time.

Salesman: “Look! It’s hooked up to the Internet! You can monitor the results without violating the voters secrecy.”

Eliminating Internet connections (I would include on-site LANs as well) also eliminates having to use commercial swiss cheese OSs and COTS hardware. No USB ports. No Internet ports.

I don’t have suggestions for collating the results, but you may.

My argument is simply this, any chain is only as strong as its weakest link (a banal truism). Once you add an insecure link, everything else, no matter how secure, is a waste of time and money.

. .. . .. — ….

Jesse March 16, 2019 6:02 PM

The biggest issue I see with a project like this is that it feels like a bunch of researchers having fun building a toy secure voting system. While there is nothing wrong with that, the research project built on top of research, non-production, “secure CPUs” is an incredibly long way away from a system ready to be used in elections.

This sort of research is great, and I hope they are successful in this, but it will take others, with some pretty deep pockets to come along behind them and ready this for production. The other challenge with a lot of the research in voting systems is that, I think it focuses too much on making the math work and “provable systems”. These are good and important but what people doing this research miss is that 1) vendors and operators can’t get the easy stuff right today and 2) while secure systems are incredibly important, perception is super important – people need to believe these systems are secure, and all the math in the world won’t convince most voters one way or the other. This second point makes some of the fancier math focused approaches less valuable.

Given the state of election security, it seems like there are other areas that might more practical to invest energy (like banning voting machines from being on the internet, and requiring paper audit records to be generated, used, and retained). That kind of work wouldn’t show off the new DARPA CPUs though.

Also, it is notable that some states do, in fact, already ban voting systems from being connected in any way to the internet or other telecommunications infrastructure.

VinnyG March 17, 2019 1:05 PM

@Billikin re: “Congress may also regulate such elections, and alter state regulations.” I believe that assertion to be entirely false. My original analysis is based on a complete reading of all provisions regarding voting in the U.S. Constitution. Do you have a citation of Federal law, regulation, or court decision precedent of any kind that in any way supports your contention? If so, please provide it.

Herman March 19, 2019 4:23 AM

So, Galois wants to field a voting system…

Thank you, thank you, I’ll be here all week!

Me March 19, 2019 8:44 AM

You say it is a good thing, and I agree.

As long as they don’t declare it “secure” by fiat, regardless of what the pen-testers find.

After that, I might consider this to be secure enough for mayoral races.

CJtheRed May 18, 2019 7:46 AM

New developments in secure voting systems really bring certain types out of the woodwork:

“But the internetz!” <—I don’t think Galois/DARPA is working on networked voting systems, but thanks for coming out!

“Don’t even think about blockchain, you foolz!” <—Nonsense, there is something to be said about trying to advance the notion of trustless systems.

Also yes, there are a few independent projects at the municipal and state levels, some of which can tout being “open source” (STAR-Vote project, looking at you). Can we stop talking about those now? Because the real problem is that because of the structure of HAVA and the EAC and our own Federal system which views askance any national-level election authority, there has been no funnel for R&D at the Federal level except the dispersal of funds to the States. The States which have little interest or capacity to steward these kinds of programs themselves for any meaningful duration.

So there has been no critical mass (until now?) of funding for serious research on secure voting systems. This is good news! Assurity of success isn’t necessary, the point is that this is a real effort at next-generation secure voting systems that advances secure computing and uses an open-source approach, which is great news.

Clive Robinson May 18, 2019 10:01 AM

@ CJtheRed,

New developments in secure voting systems really bring certain types out of the woodwork

Not as much as the cause of the renewed interest in “secure voting”, what future historians might well call “Red Scare 3″…

As for,

“But the internetz!” “Don’t even think about blockchain, you foolz!”

Well from a security asspect there is a dgree of truth in them.

The blockchaim should be a “Public Ledger” not a private one. Multiple copies of the ledger held in public is all it’s overall security proof is based on…

It is undesirable that voting results are made public whilst the polls are still open as it opens up quite a few security issues. Thus Blockchain is actually incompatible with the aim of voting…

But lets be honest the Internet is in no way a secure environment. Also the history of practicaly implemented software and it’s inherent security is not exactly something to write home about…

But quite a few have pointed out over the decades that security can not be impossed from the top down only bottom up. It’s one of the dirty little secrets of “Formal methods” that it can not protect from errors or attacks below the reach of it’s tool chain.

Unfortunately that reach might not even be as far as the compiler, but it gets worse, a lot worse the further you go down the computing stack…

The likes of RowHammer proved that you could even reach around what security formal methods pretended to offer, by manapulating the memory level in the computing stack which is several layers down from the ISA layer which is about the limit of the reach of formal methods.

But although entirely predictable with a little thought, what we call Meltdown and Spector have been providing major security vulnerabilities below the CPU level in the stack since the early Pentium days. If they have been exploited during that time we have no real way of knowing.

.Likewise Intel’s MMU has been shown to be a Turing machine in it’s own right. Thus can act as a virtual CPU below the actual CPU level. But going back into the early 1980’s I amongst other hardware designers were working out how to limmit security issues not just of MMU’s bit DMA and IO drivers. As quite a few will remember Apple had a bad time with it’s various high speed serial interfaces (FireWire etc) due to I/O DMA getting in at the memory beneath the OS controled MMU layer. But Apple were far from the only ones.

Thus there is no way that the voting machine software can be secure if what is below the ISA level in the computing stack is not secure…

And that’s the rub it’s a “Turtles all the way down” or “lesser flea” issue.

Once you accept you can not have a conventional computer system that is secure all the way down, you can actually move forward by working out ways of mitigating any lower layer security failings. That is you come up with methods to detect when hardware is in effect defecting and thus take action.

So far, as far as I can tell, nobody is talking about doing this sort of mitigation… so the whole excercise in “secure voting system design” is not just a faux one, it’s also rather pointless, unless your plan is to get rich on taxpayers money…

Eric Texley September 3, 2019 8:03 PM

What are the requirements for the said system? It’s open source, so an open community can scrutinize the source code. But… Can I go back into the database and verify the way I voted? Can I DOWNLOAD the database….and count the votes myself? findPresidentElect.pl
?

Frankly, I think it should be run as a GoFundMe open source project, with COMPLETE transparency. Why are they hiring a private company?

PATRICK J MCGINNESS December 31, 2020 3:57 PM

Round trip voting use case:

Voter votes by whatever means and at the end is given voting result along with a QR type of code at the end to keep.

Voter is notified that vote has been tabulated. However vote is not yet officially counted.

Voter checks that vote has been tabulated correctly by scanning QR code and checking official result pointed to by the web page link given by the QR code.

Vote is counted as valid only if voter verifies that the QR code link matches original voting result given to voter at time of vote.

Note – if done in person this can all be done in one trip.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.