The US Federal Voting Assistance Program (FVAP) is the Department of Defense Agency charged with assisting military and overseas voters with all aspects of voting, including registering to vote, obtaining ballots, and returning ballots. FVAP’s interpretations of Federal law (*) says that they must perform a demonstration of electronic return of marked ballots by overseas military voters (**) in a Federal election at the first Federal election that occurs one year after the adoption of guidelines by the US Election Assistance Commission. Since the EAC hasn’t adopted such guidelines yet (and isn’t expected to for at least another year or two), the clock hasn’t started ticking, so a 2012 demonstration is impossible and a 2014 demonstration looks highly unlikely. Hence, this isn’t a matter of imminent urgency; however, such systems are complex and FVAP is trying to get the ball rolling on what such a system would look like.
As has been discussed previously on this blog, nearly all computer security experts are very concerned about the prospect of marked ballot return over the internet (which we will henceforth refer to as “internet voting”). Issues include vulnerability of client computers, issues with auditability, concerns about usability and coercion, etc. On the flip side, many states and localities are marching full steam ahead on their own internet voting systems, generally ignoring the concerns of computer scientists, and focusing on the perceived greater convenience and hoped-for increased turnout. Many of these systems include email return of marked ballots, which computer scientists generally consider to be even riskier than web-based voting.
FVAP has been caught between the legal mandates and the technical experts. In an effort to break this logjam, they’ve organized a series of open fora – first in August 2010 just before USENIX Security in Washington DC, then in March 2011 just before the Electronic Verification Network workshop in Chicago IL, and last weekend just before USENIX Security in San Francisco CA. All three brought together representatives from FVAP, voting system vendors, election officials, computer scientists, and voting activists to discuss the issues. Several of the Freedom To Tinker bloggers have been present at all three meetings, and have been frustrated that the first two ended at an impasse – computer scientists saying “it doesn’t work” and FVAP (and others) saying “we need a solution anyway”.
Fortunately, the third meeting concluded in a far more constructive way. While all agree there are significant impediments, a consensus was reached that the best solution is a multi-stage competition, in much the same fashion as the National Institute of Standards and Technology (NIST) did for the Advanced Encryption Standard (AES) and is now performing for the Secure Hash Algorithm 3 (SHA-3).
The competition is structured as a series of phases that are completely open, which all expect to be at least somewhat controversial as some organizations (such as vendors) will want to protect their intellectual property. All submissions will be shared with the public, and competitive teams will be encouraged to critique each others’ submissions. In earlier phases this will be focused on the paper requirements and designs; in later phases this may include finding vulnerabilities in architectures and implementations. Submitters may claim patent and/or copyright on their submissions, but these must grant the public (including competitors) rights to use the submissions for analysis, including compiling, testing, and modifying software, for testing purposes. (However, submitters may preclude such use for production or resale purposes.) Thus, trade secrets will be precluded in the competitive process.
The competition will have three phases, each of which may include one or more iterations.
- In the first phase (which as computer scientists was named “round 0”), submissions will focus on requirements for internet voting systems. Submitters will define characteristics that must be met in following phases. Submissions may also include use cases for which the requirements are applicable – for example, requirements that could apply in environments where all voters have smart cards, such as the US military. As described above, submissions will be open to the public, and anyone (especially submitters) will be encouraged to critique submissions to find the best aspects. At the conclusion of this round, FVAP will (possibly with the assistance of government experts) consolidate the requirements into a single set that will govern the following phase.
- In the second phase (“round 1”), submissions will provide high level designs and detailed hardware and software architectures, along with procedures necessary for secure operation. The submissions for this round need to be detailed enough that a reasonably skilled person could implement a realization of the system, although many details such as user interfaces and database layouts will be undefined. As with the first phase, submissions will be open for critique. In this phase critiques will focus on identifying areas where designs do not meet the requirements defined in the first phase. The result may be modification of architectures to incorporate ideas from several teams. At the conclusion of this phase, FVAP will (again with assistance from government experts) narrow down the set of acceptable architectures. Or perhaps not – if no architecture is good enough to satisfy the requirements, FVAP may conclude that the experiment should not be run (and cancel the third phase).
- In the third phase (“round 2”) submitters will create implementations of one or more of the architectures (perhaps even adopting architectures from other teams, if licensing terms permit). During the critique period, teams will seek to find security vulnerabilities in other implementations, and fix problems identified in their own implementation. Usability testing should be part of this phase, as systems too complex for voters to use effectively (even if secure) need to be identified and improved. At the conclusion of this phase, FVAP will identify one or more implementations that are adequate for meeting their demonstration project requirements. Or perhaps not – if no implementation is good enough, FVAP may conclude that the experiment should not be run.
What happens if there is no acceptable solution at the conclusion of the second or third phase? That’s possible – and if it happens, that may be cause for FVAP to request that Congress modify its charter to eliminate the requirement for online blank ballot return. If the best minds in the country conclude that internet voting is a perpetual motion machine, no amount of laws and regulations will make it possible.
How long will all this take? We estimate the entire process will take three or four years, allowing time for FVAP to publish a solicitation, organizations to create submission, the public critique period, FVAPs consolidation and decision making, and transition to the next phase.
In the meantime, there’s little doubt that some states will continue to move forward on the existing insecure solutions. We believe, and expect that most other computer scientists will agree, that this is a case to let science take its course before moving into implementation. We hope that FVAP will speak out publicly against such ill-advised experiments.
For now, we look forward to working with FVAP in realizing the first ever national internet voting competition.
(*) While there is some disagreement on interpretation of the law, since I’m not a lawyer and hence not competent to determine the accuracy of that interpretation, this blog entry presumes that the FVAP interpretation is correct.
(**) The term “military and overseas voters” means both military voters stationed away from their legal home (e.g., at a base in another state or overseas) and civilians living overseas (whether on a temporary basis such as contractors or on a permanent basis). Thus this includes people working for organizations like Peace Corps and embassies as well as expatriates. However, the FVAP mandate for internet voting only applies to overseas military voters, and not domestic military voters or overseas civilians.
Edited Aug 13 @ 12:17pmET: Changed first footnote to explain that I’m not a lawyer and hence not interpreting the law.
Edited Aug 15 @ 1:08pmET: Corrected name of EVN workshop.
Why should we invest in internet voting projects if NSA, DoD, and our other cyber security agencies cannot currently or in the foreseeable future protect our networks? With current engineering, we cannot achieve the level of security necessitated by the common interest in honest elections. This is one reason why the congressional aspiration of 2002-04 should be recognized as having lapsed and been merged into the 2009 MOVE Act. Cyberspace has become fundamentally more dangerous since 2004, rendering internet transmissions more, not less, vulnerable.
Our law does not accord the Government legitimate power to endanger or severely burden fundamental rights, such as voting and election accuracy. The legal system can and will be responsive to protect the public.
Mr. Carey helpfully notes: “FVAP’s position is that the mandate… ” Thank you, Mr. Carey, for acknowledging that this is not DoD’s position or the DoD General Counsel’s position, or the Administration’s, but FVAP’s only. Similarly (as he and I have discussed), the law that Mr. Carey cites as conferring a “mandate” actually does not legally compel an internet voting demonstration project. Let’s invest the DoD monies in securing our networks. Thereafter, when networks are proven sufficiently secure, we can investigate online voting.
Professor Hoke, as I have offered you on numerous occasions, as soon as you provide me the legal argument as to why the MOVE Act obviates the mandate of the 2002 National Defense Authorization Act to conduct an electronic absentee voting demonstration project, I will take your argumentation to DoD General Counsel and see if they agree.
Despite my making that offer to you August of 2010, you, to date, have not provided any such legal argumentation, despite your saying you would have such argumentation to me by October 2010.
Maybe actually looking at the law would be helpful. 2002 National Defense Authorization Act states:
“(a) Establishment of Demonstration Project. –
“(1) In general. – Subject to paragraph (2), the Secretary of Defense SHALL carry out a demonstration project under which absent uniformed services voters are PERMITTED TO CAST BALLOTS in the regularly scheduled general election for Federal office for November 2002 through an electronic voting system. The project shall be carried out with participation of sufficient numbers of absent uniformed services voters so that the results are statistically relevant.
“(2) Authority to delay implementation. – If the Secretary of Defense determines that the implementation of the demonstration project under paragraph (1) with respect to the regularly scheduled general election for Federal office for November 2002 may adversely affect the national security of the United States, the Secretary MAY delay the implementation of such demonstration project until the first regularly scheduled general election for Federal office which occurs after the Election Assistance Commission notifies the Secretary that the Commission has established electronic absentee voting guidelines and certifies that it will assist the Secretary in carrying out the project.” [emphasis added]
That seems pretty straight forward to me.
Then the MOVE Act goes on to say, “In the case in which the Election Assistance Commission has not established electronic absentee voting guidelines under such section 1604(a)(2), as so amended, by not later than 180 days after October 28, 2009, the Election Assistance Commission shall submit to the relevant committees of Congress a report containing the following information:
(A) The reasons such guidelines have not been established as of such date.
(B) A detailed timeline for the establishment of such guidelines.
(C) A detailed explanation of the Commission’s actions in establishing such guidelines since October 28, 2004.”
Again, seems pretty straight forward that Congress expects this to be done. What am I missing?
All in all, I think a pretty good synopsis. However, on your note **, FVAP’s position is that the mandate doesn’t limit to overseas military only! Just to military, which could include domestic military. Now, the greatest need is probably for overseas military, but the demonstration project mandate doesn’t differentiate.
Again, thanks for the good summary.
Appreciate that correction, Bob! My notes were obviously incorrect on that point.
I hope we’ll see some progress from FVAP in the near future on laying out the proposed rules of the game.
Jeremy, while this competition may be used to “prove” that internet voting is a great idea, is there enough confidence in this to allow for independent hacking tests, as were allowed with the DC Internet Voting Pilot?
Since any internet election would be vulnerable to hacks from around the world, even just to hacking for “lulz”, seems that this would be the main test to pass.
Also, how would insider tampering be prevented?
Joyce, the intention of the competition is that it’s open at each phase – in the early stages (when it’s requirements and paper designs) there won’t be anything to hack, but in the third phase where there are real systems, the expectation would be that submitters would attack each others’ systems, and anyone else who’s interested would be welcome to also. That’s the essence of the open competition model.
Insider tampering is something that should be addressed as part of defining the requirements (first phase) – then solutions that are proposed in the second and third phases would need to explain how they address that requirement. So you (or anyone else) who thinks that insider tampering should be a requirement should definitely submit it as part of the first phase!
[Of course at this point we’re tossing around ideas; nothing has been approved, but that’s how it should work.]