CITP Blog - Formerly Freedom to Tinker

CAC-Vote: Another Insecure Internet Voting System

– by

Comments

, , ,

Philip Stark and I have released this paper with an analysis of a DARPA-sponsored research project to develop an internet voting system.

An Internet Voting System Fatally Flawed in Creative New Ways

Abstract: The recently published “MERGE” protocol is designed to be used in the prototype CAC-vote system. The voting kiosk and protocol transmit votes over the internet and then transmit voter-verifiable paper ballots through the mail. In the MERGE protocol, the votes transmitted over the internet are used to tabulate the results and determine the winners, but audits and recounts use the paper ballots that arrive in time. The enunciated motivation for the protocol is to allow (electronic) votes from overseas military voters to be included in preliminary results before a (paper) ballot is received from the voter. MERGE contains interesting ideas that are not inherently unsound; but to make the system trustworthy–to apply the MERGE protocol–would require major changes to the laws, practices, and technical and logistical abilities of U.S. election jurisdictions. The gap between theory and practice is large and unbridgeable for the foreseeable future. Promoters of this research project at DARPA, the agency that sponsored the research, should acknowledge that MERGE is internet voting (election results rely on votes transmitted over the internet except in the event of a full hand count) and refrain from claiming that it could be a component of trustworthy elections without sweeping changes to election law and election administration throughout the U.S.

Comments

3 responses to “CAC-Vote: Another Insecure Internet Voting System”

  1. Kaitlyn Woulfe

    Mr Appel, I have been reading some of the material you’ve written regarding election integrity. Do you have any thoughts to share regarding the 2024 Presidential Election? The last mention I can find is March of 2024, I apologize if you’ve discussed this somewhere I haven’t come across yet.

    Thank you for your time and input

    Reply
  2. Shymaa Arafat

    I’ve read version 3 of the MERGE protocol paper (not sure what are the main differences with v2 discussed in their paper), and I have some comments that I hope you find worth discussing /answering:

    1-You say that
    “the Kiosk application determines the county/machine address that runs it without mentioning how”, where exactly did they mention that????
    -I didn’t find that (or even discussing such idea) anywhere in their paper; it is just that the CAC smart card defines the voter ID. This is kind of important to me, because when I suggested a kind of simple solution to some attacks on the Estonian i-voting system that depends on signaling the voter machine (outside the installed application) by something like an interrupt message to appear on the voter’s screen, they said it’s not an easy thing to do. Although I’m not that deep on such technical details that probably involve down layers network protocols, I know hackers do it and I believe it is feasible; anyways reading about what they have done in the Kiosk may clarify it.
    .
    2-In the Appendix about the RLA details, you say about Duplicates handling that if they found MANY ( say n>2) paper ballots for the same ID, they record only the one with minimal discrepancy in their audit.
    I’m not that experienced on RLA details, but I believe this should be handled as “n-1” errors (the system allowed n-1 wrong stickers that was randomly discovered through sampling, and who knows how many more are there). Then there should be analysis on how this could happen? which malicious parties could have caused it? Strategies to prevent/detect it. Could it happened for example from sending or printing stickers for invalid/challenged votes by mistake?, are they all from the same precinct or county?if not what could have caused it?, ….etc.
    .
    3-In general, if you find the idea worth discussing, is it possible to make every vote auditable in case of disputes?I mean if a loser wants to go to court, he/she finds a sample of volunteers who claims they voted for the loser and it should be possible to verify their votes beyond reasonable doubt before asking for a complete recount or investigating what really happened in more thorough ways?
    I’m trying to support this here, although it is still work in progress
    https://www.researchgate.net/figure/The-voting-process-in-the-proposed-system_fig1_382853901

    (I mean even if my preprint still have some flaws, what do you think about the idea of the voter having the right to prove to court=the same right as auditors for his/her vote)?
    .
    Thanks for reading and hopefully replying,

    Shymaa M. Arafat

    Reply
    1. Andrew Appel

      Sorry for the delay in moderating this message, we were in between moderation protocols for a while.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

About

The CITP Blog is hosted by Princeton University’s Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you’ll find comment and analysis from the digital frontier, written by the Center’s faculty, students, and friends.

Categories