
DARPA Is Building a $10M, Open-Source, Secure Voting System - shpat
https://motherboard.vice.com/en_us/article/yw84q7/darpa-is-building-a-dollar10-million-open-source-secure-voting-system
======
nathan_long
> Kiniy said Galois will design two basic voting machine types. The first will
> be a ballot-marking device that uses a touch-screen for voters to make their
> selections. That system won’t tabulate votes. Instead it will print out a
> paper ballot marked with the voter’s choices, so voters can review them
> before depositing them into an optical-scan machine that tabulates the
> votes. Galois will bring this system to Def Con this year.

This sounds great: paper trail, no chance of "hanging chads" or bad
handwriting, verifiable by the voter at the moment before scanning and hand-
countable if necessary.

~~~
simongr3dal
I hate being outright dismissive but it sounds like an expensive html/pdf form
with a printer attached.

I do agree that the paper trail is a great thing. I'm not fundamentally
against electronic voting, but I haven't heard of a system that can really
compete with the simplicity and verifiability of the immutablility you get
from paper ballots inside ballot boxes being watched over by interested
parties on all sides.

~~~
dragontamer
> I hate being outright dismissive but it sounds like an expensive html/pdf
> form with a printer attached.

And I like it. The simpler the design, the better. Sometimes it takes a
billion dollars and a couple of smart researchers to invent the "obvious"
solution to a problem.

We've got butterfly ballots, confusing electronics-only machines, and a
variety of bad standards as the basis of our current voting infrastructure.
Telling everybody to use a damn PDF + printer would be a gross improvement.

~~~
hyperion2010
And suddenly I have another use case for my language for specifying scientific
protocols. Counting votes in a way that is scientifically verifiable. Turns
out keeping verifiable lab notebooks for legal reasons is a really similar
problem to keeping verifiable vote tallies, also for legal reasons
(hopefully). It is telling that we have better provenance systems for far more
complex processes but we still haven't managed one for person one vote ....

~~~
lifeisstillgood
I may be misunderstanding but what language "specifying scientific protocols"
do you mean ? Is this published? How does it work (a generic workflow
language? The t sounds interesting whatever it is)

~~~
420basteit
Probably not the same thing that guy was walking about, but this is a cool
project going on at University of Washington - it's made for biological
science workflows but it's really quite flexible.

[https://www.aquarium.bio](https://www.aquarium.bio)

------
abakker
>The systems Galois designs won’t be available for sale. But the prototypes it
creates will be available for existing voting machine vendors or others to
freely adopt and customize without costly licensing fees or the millions of
dollars it would take to research and develop a secure system from scratch.

I guess the devil is always in the details. "freely adopt and customize" to me
says that the code will not be verifiable or open source anymore? Or that the
implementation could be flawed. Open sourcing the code, and then letting
commercial entities change it, cut corners, make money, etc seems to be a good
way to ensure that all the hard work that went into designing the system is
rapidly compromised.

~~~
masswerk
Isn't there a law in the US prohibiting public institutions from competing
with private businesses? This may provide a cause for not rolling it out, but
rather handing it over to private enterprises for implementation.

Edit: I recall the US having to withdraw from the Human Genome Project because
of this as soon as a private enterprise claimed it as a field of business.

~~~
ashelmire
No, that’s not true. I’m unaware of such a law and could point to many counter
examples. The human genome project was declared “complete”.

~~~
masswerk
Actually, the HGP was on the verge of being scrapped, but then the U.K. came
to the rescue with a major investment to make up for the US. If I recall this
right, the US enterprise (Celera) wanted to take an algorithmic shortcut in
mapping and verifications, by this overtaking the HGP regarding final results
in order to provide the data as a paid service. This happened 7 years before
the scheduled finalization of the HGP. Eventually, they finished in a tie.
(However, this has been some years ago now and I'm not a US citizen.)

------
rabi_penguin
Galois has a reputation for being one of the most visible and well-known shops
associated with Haskell. I'm curious to see what they can accomplish. A little
bit of poking showed this[0] coming up -- I definitely wonder if that's around
the same direction they'll be taking.

[0][https://galois.com/project/csfv-crowd-sourced-formal-
verific...](https://galois.com/project/csfv-crowd-sourced-formal-
verification/)

------
sverige
Why does this keep coming up? What is the compelling argument against paper
ballots? There is no need for results to be known immediately, so how does
making voting an exercise done by computers make anything better, particularly
when computers are much more vulnerable to remote interference?

~~~
therealdrag0
Aren't counting ballots always wrong? Like every time there is a recount the
number changes...

What's wrong with electronic ballots? If we can have a secure and audit-able
banking system (and every other aspect of our lifes), surely we can have the
same for voting?

~~~
rtkwe
> If we can have a secure and audit-able banking system (and every other
> aspect of our lifes), surely we can have the same for voting?

There's one major requirement in voting systems that throws a huge wrench in
everything, anonymity. In order to prevent vote buying and coercion voters
can't be tied to specific votes. So any system that allows a person to check
that their vote got counted for their candidate isn't workable because that
violates the anonymity requirement.

There's a million reasons that votes change as they're counted and recounted.
For one in some states absentee ballots can be postmarked up to the day of the
election so they can trickle in for a while after the day of. Another is
machine breakdowns and just mistakes as the complete numbers are gathered.

~~~
gervase
The way this (anonymity) is handled in the Estonian system is that votes can
be validated out-of-band for 30 minutes after they were cast, then they're
locked. Additionally, a voter can overwrite their previous vote at any time
during the vote period, so they could always prove their first vote, and then
overwrite it privately later.

There are several other major problems with their system [0], but I think they
should at least get credit for their approach.

0: [https://www.aaspring.com/ccs2014/ivoting-
paper.pdf](https://www.aaspring.com/ccs2014/ivoting-paper.pdf)

~~~
rtkwe
There's still the voting server where the (voter,vote) pair exists and could
be exfiltrated in theory. It does solve the low level organized vote
buying/coercion campaigns at least.

------
weej
Title is misleading. This is 3rd party contractor that won an RFP bid yo push
out hard copy verification of ballot and voter's choice with some "DARPA
techniques". Not quite the secure confidential system with data integrity I
was hoping for.

> We will show a methodology that could be used by others to build a voting
> system that is completely secure.

This really feels like a Proof-of-concept or reference architecture, at best.

~~~
weej
That said, at least it's progress in the right direction (I Hope). We'll see
how it turns out.

------
sagitariusrex
I don't believe that putting a price tag on a piece of software legitimizes it
for a given use case.

I get this same feeling from posts that say "Product X written in language Y".
While I agree that there exists a right programming language for a given task,
it is not in itself a reason to use product X.

------
thanatos_dem
I use this premise as one of my architectural interview questions- design a
voting system.

Having asked it dozens of times, I’ve come to the conclusion that I don’t
trust anyone to build a voting system. I like it as a question tho, since it’s
open ended enough to really let the candidate focus on the domains interesting
to them; scalability, security, data modeling, whatever they want really.

~~~
tommd
That's a huge leap from "arbitrary candidates can't give a satisfactory answer
during an interview" to "I don't trust it can be done."

Do you apply the same test to cryptographic algorithms?

------
equalunique
I'm a fan of Galois, so I'll keep tabs on this project.

~~~
danpalmer
Agreed. I was about to write this off as a boring project that might go
nowhere, but I have a huge confidence that Galois will treat this with the
gravitas necessary from a computing and security theory point of view.

It might still go nowhere, but I expect there will be very interesting
developments as a result of it.

------
tdcbfdct3
More information about the idea: [https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_sy...](https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_systems)

------
masswerk
Thought experiment: Have, like in aviation, units built of two separate, but
parallel architectures designed and built by unrelated, independent
manufacturers with software written by independent teams in different
languages and deploy them redundantly. (E.g., Airbus does this.) Now you have
cranked up the cost for any manipulations to the requirements of successfully
attacking two separate architectures in the same realtime timeframe, maybe at
several redundant units at once. Leaving the message path. So you're still
screwed. (Simply, because the win to cost ratio may be near to infinity. If we
have concerns regarding personal messages, how could we possibly guarantee for
this one?) Enter the paper trail and printers. – However, does anyone remember
the Xerox scanner debacle of misarranged and falsely duplicated data by the
compression algorithm, or the debates about Obama's birth certificate (due to
image portions duplicated by the compression algorithm)? Things like these
went unnoticed for years.

What we may learn from this, a) there's no perfect system involving software,
b) if we do not want to invest as much in democracy as we do in shuffling
around a few people by aviation, how may we be worth it? Anyway, voting
methods shouldn't be about cost reduction.

~~~
grepper
For those who were perhaps intrigued, as I was--here is a bit more information
I found through a cursory search about how Airbus's consensus system works.
Interesting stuff. [0][1]

[0] [https://aviation.stackexchange.com/questions/15234/how-
does-...](https://aviation.stackexchange.com/questions/15234/how-does-the-
airbus-flight-computers-voting-system-work)

[1] [https://aviation.stackexchange.com/questions/21744/how-do-
re...](https://aviation.stackexchange.com/questions/21744/how-do-redundancies-
work-in-aircraft-systems)

~~~
masswerk
Thanks for the complementary links!

Regarding Xerox scanner compression issues, compare this great CCC-talk by
David Kriesel, "Traue keinem Scan, den du nicht selbst gefälscht hast" [0] –
Sorry, German only.

[0]
[https://www.youtube.com/watch?v=7FeqF1-Z1g0](https://www.youtube.com/watch?v=7FeqF1-Z1g0)

[1] [http://www.dkriesel.com/en/blog/2013/0802_xerox-
workcentres_...](http://www.dkriesel.com/en/blog/2013/0802_xerox-
workcentres_are_switching_written_numbers_when_scanning)

(Didn't MS's PDF-viewer have similar issues?)

------
myth2018
Sounds good. But in practice it's complicated.. In Brazil we have been using
electronic voting systems for 20 years. Since then, there's been absolutely NO
EVIDENCE of fraud. Specialists are regularly invited to know the code and try
to find vulnerabilities (the code wasn't open-sourced, and personally I don't
think it should).

And, even so, the losing parties ALWAYS claim there's been some fraud, and a
significant part of their respective voters buy such discourse.

There's been turnover of power pretty regularly in most parts, and even this
doesn't stop folks of accusing electoral fraud.

Last year, thanks Whatsapp, the debate's gained special contours. Lots of
malicious people shared videos showing fake frauds, which were dismissed after
some hours.

There's been also lots of stupid people mistyping into the ballot and
screaming around with a camera accusing a fraud.

It was a bit of a mess and things tend to get serious in very tight scores,
since there won't be a safe, auditable way of recounting the votes without
having to fully believe in the government agency responsible for operating the
system.

The system makes the process extremely efficient. We are 100 million voters,
voting is mandatory, and we always know the winners within a couple of hours
past the end of the voting process. But..

------
swalsh
My ideal voting system would allow me to have a real time feed of votes as
they come in, so that at the end of the night I can check my records vs the
"official" records. Names can be detached, all I need is a Ballot id. BallotId
can be something as simple as the hash of RegisteredVoterId + password + Salt
+ ElectionId.

As long as the voter remembers their password, they can look up their record,
and the record can be a fully public record with anominity.

~~~
snowwrestler
Your ideal voting system is vulnerable to coercion ("log in and show me who
you voted for or else") and phishing.

Voting systems should provide confidence to voters that votes are counted
correctly, but not permit anyone, including the voters themselves, to learn
how they voted after the ballot is cast.

~~~
fossuser
I love voting by mail, but I don't understand how that's legal since you could
just coerce someone that way?

Force them to vote by mail, watch them fill out the ballot (or fill it out for
them), and mail it in.

~~~
zanny
Generally all mail in voting systems let you override your vote. If someone
coerces you once and you send in another ballot postmarked after the first or
go to your polling location in person on election day you can override that
vote.

You basically need to hold someone hostage or under total surveillance from
when the ballot is mailed to when the polls are closed to avoid them just
sending in their actual ballot afterwards.

With an electronic voting system the window of time you have to hold someone
hostage is much shorter - simply force their vote an hour before the polls
close and then hold them prisoner for the hour.

~~~
fossuser
This is an interesting answer and makes more sense - still possible to do, but
harder.

------
zestyping
Anyone building or designing voting systems should first be familiar with the
concept of _software independence_.

[https://en.wikipedia.org/wiki/Software_independence](https://en.wikipedia.org/wiki/Software_independence)

It's an extremely important and useful concept, and should form the basis of
the first question (or one of the first) asked of any voting system provider.

------
jpgfunk
Max Kaye from the Flux party has been building a blockchain based one here
[https://github.com/voteflux/THE-APP](https://github.com/voteflux/THE-APP)

It's open source and it's actually got a sound philosophy behind it. It's near
completion and hopefully it'll change the way we vote globally (not just in
Aus)

------
folli
Maybe they'll succeed were Switzerland has just recently failed:
[https://www.technologyreview.com/the-
download/613107/a-major...](https://www.technologyreview.com/the-
download/613107/a-major-flaw-has-been-found-in-switzerlands-online-voting-
system/)

------
kajecounterhack
[https://www.youtube.com/watch?v=HVmHruNg6m0](https://www.youtube.com/watch?v=HVmHruNg6m0)

This amazing talk by Ben Adida is really relevant. He has worked on solving
voting for a long time now and does a great job here of breaking down some of
the salient parts of the problem.

~~~
specialist
I have the impression that Ben Adida is no longer advocating cryptographic
voting technologies. Which is encouraging.

[https://www.usenix.org/conference/enigma2019/presentation/ad...](https://www.usenix.org/conference/enigma2019/presentation/adida)

------
anth_anm
My design uses paper and pen.

Deployment requires mailing ballots out and having places where people can
come in to fill them out.

10 million dollars please.

~~~
MBCook
How well does it work for people with motor disabilities? Vision disabilities?
Does an X mean a choice or they crossed out their choice? What happens when
the pens run out of ink? What if they can’t read English?

Helpers? What do you pay them? Can they understand that dialect of that
obscure language? Do you trust them not to lie about what they’re marking on
the ballot for someone?

The truth is electronic voting machines have upsides. Having the system fill
out the ballot which the voter then hands in seems like an almost ideal use to
me. It’s totally verifiable but can help many people who wouldn’t be able to
vote without help.

~~~
monocasa
> Do you trust them not to lie about what they’re marking on the ballot for
> someone?

Do we really think that a large conspiracy of translators for obscure
languages is a viable attack?

~~~
MBCook
I was thinking more when helping the visually impaired.

------
tomc1985
Surely it doesn't cost $10m to build a secure ballot form. Existing solutions
have had so many obvious flaws that it seemed like e-voting companies weren't
actually interested in accurately counting votes. They really need 50+ people
to make a checkbox form and print the result?

------
ebj73
Secure hardware sounds like the wrong idea, I think. I think the correct idea
will be something more similar to block chains. A system where the security of
the system lies in the ability for anyone to make a copy of the voting data at
any point in time. So there will be multiple copies of the voting data, owned
both by the authorities and by ordinary people.

If the authorities try to tamper with the central copy of the voting data, it
will be checked by the multiple copies owned by the general public.

I think that's the general idea one should pursue. Not "secure hardware".

------
andrewstuart
DARPA Is Building a $10M, Open-Source, Secure Voting System

fact:

DARPA Is Building a $10M, Open-Source Voting System

ambition:

secure

------
LinuxBender
Have there been any competitions to make an open source, highly scalable and
verifiable anti-tampering voting system? Maybe even a competition to see how
few resources can be allocated to facilitate millions of simultaneous voters?
i.e. "did it in 50 lines of python!" like the javascript 1k competitions. [1]

[1] - [https://js1k.com/](https://js1k.com/)

~~~
zAy0LfpBZLC8mAC
> Have there been any competitions to make an open source, highly scalable and
> verifiable anti-tampering voting system

Yes, for thousands of years. The result is called the paper ballot.

You cannot have a verifiable anti-tampering voting system using computers. You
need verifiability by the general public. Auditing a microchip is not
something members of the general public know how to do, and in any case, it
detroys the chip, so it's kinda useless anyway.

~~~
LinuxBender
Are those tamper proof? I recall some engineers testifying before congress
about specifically making paper ballot systems that were designed to allow
altering results. DieBold I think? I don't have a link handy, but it seems
that is just as fallible.

Or do you mean hand written ballots? Does anyone still use those?

And yeah, the digital ones have been hacked at DefCon by children. (their
parents taught them how to hack the devices, so I guess that is cheating)

Maybe throw in some Blockchain or did I use a BS Bingo term?

~~~
zAy0LfpBZLC8mAC
> Or do you mean hand written ballots? Does anyone still use those?

Yes. The constitutional court of Germany ruled that electronic voting is
essentially illegal in Germany due to all the inherent flaws, so all elections
are done with pen and paper, ballot boxes, and manual counting.

~~~
LinuxBender
That's very impressive.

------
chiefalchemist
Not to sound overly cynical but open source isn't a panacea. Yes, it adds
transparency. That's a positive. But that doesn't ensure it'll work.

As for secure, if it's connected to the internet, then it's always going to be
a target.

It seems to me, that - if voting integrity is priority #1 - a return to
traditional analogue voting should be given strong consideration.

------
lpolzer
Now if only they would introduce something like Single Transferable Vote
(entertaining CGPGrey video:
[https://www.youtube.com/watch?v=l8XOZJkozfI](https://www.youtube.com/watch?v=l8XOZJkozfI)),
or another more effective voting system.

Probably won't happen though, as it would seriously shake up politics as we
know it.

------
bluedino
Could this be a useful application of blockchain?

~~~
mspecter
No.

~~~
zachguo
Can you elaborate? It seems each vote would be harder to tamper if blockchain
is applied. (or some other techniques chaining data together to be verified)

------
IshKebab
> Members of the public will also be able to use the cryptographic values to
> independently tally the votes to verify the election results so that
> tabulating the votes isn't a closed process solely in the hands of election
> officials.

This sounds like they are using homomorphic encryption?

------
hello_tyler
Thank god. Now this is a good investment. They should be getting 10x that
budget though.

------
systematical
Finally. I've been saying this for years, as I'm sure others have.

------
stankypickle
Secure voting system... right... I wonder how this will unfold... =/

------
known
I doubt it can fix
[https://en.m.wikipedia.org/wiki/Electoral_fraud](https://en.m.wikipedia.org/wiki/Electoral_fraud)

------
NicoN00b
Ironic that an Oregon-based company is fixing voting machines, when Oregon has
a paper-based vote-by-mail system that has encountered few problems.

------
cabalamat
> allow voters to verify that their votes were recorded accurately

This sounds like it means it's no longer a secret vote and voters can be
bribed or blackmailed to vote a particular way.

~~~
themacguffinman
Only if the voter is allowed to keep the receipt. The system could require
voters to put the paper in a box before they leave like we do now.

------
crb002
Bad DARPA. Any centralized control is corrupting. You need analog and
decentralized to make cheating costly to pull off.

------
Entangled
Software is perfectible, skinware is not. As long as corruptible human beings
are in charge, there will be room for fraud.

~~~
reaperducer
_Software is perfectible, skinware is not. As long as corruptible human beings
are in charge, there will be room for fraud._

Skinware writes the software.

(Is "skinware" the new "wetware?")

------
l00sed
Can anyone attest to this new system's engagement or possible effects on
blockchain technology?

------
MrXOR
Good news. An Agora voting system's fork powered by SGX/TrustZone and verified
by Cryptol?

~~~
MrXOR
More than it:

[https://www.darpa.mil/news-events/ssith-proposers-
day](https://www.darpa.mil/news-events/ssith-proposers-day)

------
jacques_chester
You know what has the best paper trail?

Paper ballots.

------
fergie
Every now and again you realize that US government actually does a lot of
stuff right.

------
oldpond
For a good chuckle, search Youtube for Diebold voting machines. LOL.

------
teawrecks
Allowing everyone to verify that their vote was counted as they intend is a
start, but....I'm not saying it has to use block chain, but for its veracity
to actually be openly verifiable, the voting ledger has to be publicly
visible.

~~~
exolymph
Votes can't be public. Leads to coercion.

------
pmoriarty
Say goodbye to democracy wherever electronic voting is rolled out.

~~~
jonahhorowitz
You still have paper ballots - with audits.

~~~
pmoriarty
Those audits are only triggered when the vote counts are close enough, within
a certain margin.

Since whoever controls or hacks the machines gets to set the vote counts, the
audit only happens if they want it to.

~~~
jonahhorowitz
In California[0] we audit 1% of all ballots, regardless of the outcome.

[0] - [https://www.sos.ca.gov/elections/voting-
systems/oversight/co...](https://www.sos.ca.gov/elections/voting-
systems/oversight/county-one-percent-manual-tally-reports/)

~~~
pmoriarty
What does that prove?

Your electronic voting machine could completely tell you the truth about every
ballot you ask it about, but lie about the total.

~~~
jonahhorowitz
Because we count an entire precinct and check the totals. We don't just ask it
what it got for individual ballots.

------
bkmeneguello
Everyday someone trying to "fix democracy"

------
keymone
$10M sounds like spare change for DARPA?

------
gsich
Nothing beats paper.

~~~
samirm
scissors does

------
magwa101
Finally

------
asdf333
so awesome

------
deogeo
Open source, open hardware? What a joke. Neither are resistant to
chip/compiler level attacks such as
[https://www.schneier.com/blog/archives/2018/03/adding_backdo...](https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html)
and
[https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html](https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html)

That's all assuming the voting machine is actually running the
software/hardware they tell you - how would a voter check?

The article briefly mentions "That receipt does not permit you to prove
anything about how you voted, but does permit you to prove that the system
accurately captured your intent and your vote is in the final tally,". But if
that receipt doesn't let you prove anything about how you voted, how can you
tell from it that your vote was captured 'correctly'? The machine can print
_anything_ on the receipt!

Then there is the question - what problem is e-voting trying to solve? Hand-
counting scales perfectly and is _extremely_ difficult to covertly tamper
with. So the only 'problem' e-voting solves is that of being unable to
covertly and fully subvert elections.

~~~
kevin_thibedeau
> That's all assuming the voting machine is actually running the
> software/hardware they tell you - how would a voter check?

Have dedicated hardware compute a hash from the content of program ROM on
demand with a button press and present it on an auxilliary 7-segment display.
Compare against the hash of the vetted image. No software need be involved.

At some point in the process, machines will be used for tabulation. You have
to trust the hardware to some extent. Just keep it as simple as possible to
minimize confounding complexity that an attacker can hide in.

~~~
zAy0LfpBZLC8mAC
> Have dedicated hardware compute a hash from the content of program ROM

How do you check the circuit of that hardware?

How do you know the ROM you are reading is the ROM the CPU is executing from?

How do you know the CPU is the architecture you think it is and the program
means what you think it means?

> You have to trust the hardware to some extent.

No, you don't, and you shouldn't. You can do all of that calculation by hand.
And at the very least you can check a random selection by hand.

> Just keep it as simple as possible to minimize confounding complexity that
> an attacker can hide in.

In other words: Don't use electronics. You can't get simpler than pen and
paper.

------
LifeLiverTransp
Relephant xkcd in the room : [https://xkcd.com/927/](https://xkcd.com/927/)

------
Beefin
What I truly don’t understand is why we can’t vote with our phones in this age

~~~
zanny
Because you cannot verify your phone is not compromised at either a software
or hardware level.

You would need independently verifiable hardware and all software running on a
closed system (ie, no third party modifications to running software which
would mean at most a trusted sandbox for other applications outside the proven
path) to be able to trust it to reliably take your vote.

Thats on the order of correctness provability that NASA puts into launch
vehicles but NASA doesn't have to contend with hostile actors seeking to
undermine their software and hardware.

