Ethical Hacking News
DARPA's Voting System Backlash: Security Researchers Sound Alarm Over Proposed "MERGE" Protocol
DARPA's MERGE system, aimed at improving voting security for military personnel abroad, has sparked controversy among security experts. MERGE's core components include electronic kiosks, a computer system, cryptographic protocol, and risk-limiting audit (RLA) protocol to detect integrity violations. Experts like Andrew Appel and Philip Stark argue that MERGE is unrealistic due to legal, institutional, and practical changes needed to make it work. The authors claim that MERGE makes unnecessary demands on voters and is misaligned with US election laws and actual practices. They also highlight the vulnerability of electronically returned ballots to large-scale remote attacks and manipulation.
DARPA, the research arm of the US Department of Defense, has been working on a high-profile project to improve voting security for American military personnel stationed abroad. The goal is to make it easier for service members to cast their ballots in US elections while serving overseas. However, this ambitious initiative has sparked controversy among security experts, who are questioning the efficacy and feasibility of a proposed system dubbed "MERGE".
MERGE stands for Matching Electronic Results with Genuine Evidence, and its core components include voting kiosks at military bases, a computer system to receive ballots from those kiosks, a cryptographic protocol to encode and transmit ballots, and a risk-limiting audit (RLA) protocol intended to detect integrity violations that could alter an election outcome. The latter two elements – the cryptographic protocol and the RLA – collectively are known as MERGE.
According to an analysis paper by Andrew Appel, professor of computer science at Princeton University, and Philip Stark, professor of statistics at UC Berkeley, MERGE "contains interesting ideas that are not inherently unsound" but isn't realistic given the legal, institutional, and practical changes necessary to make it work. They argued that sending an untrustworthy electronic vote to be counted, backed up by a paper ballot that's the genuine evidence – but that will not be counted unless there is a binding recount with suitable rules – is a solution in search of a problem; it is unnecessary.
In other words, Appel and Stark observed that MERGE makes unrealistic demands on voters to check cryptographic signatures, look up those signatures on a public bulletin board several days after casting a vote, and then check to make sure their printed paper ballot reflects their touchscreen voting voices. This oversight underscores the seriousness of its omission – if such a large number of voters fail to follow instructions, it must undermine the security of the protocol.
Furthermore, Appel and Stark also argued that MERGE is so misaligned with US election laws and actual practices as to be unimplementable. Specifically, they noted that only five percent of voters live in three US states – Colorado, Rhode Island, and Virginia – that have binding RLA requirements for elections. Even in those states, the security of CACvote would depend on changes in state law to integrate its complex protocol and to require an RLA of every contest in every election, regardless of the reported margin and anticipated workload.
In any other state, CACvote can be no more secure than any other form of internet voting. The authors maintained that electronically returned ballots are vulnerable to large-scale remote attacks and manipulation, citing various electronic voting systems that have been found to be insecure in Washington, DC, in Estonia, in Australia, and in Switzerland, as well as the Voatz and Democracy Live systems.
Ben Adida, executive director of VotingWorks and technical lead on the project, disputes the researcher's claims. "We do not agree with their premise," he stated. This highlights a deeper debate within the election technology community over the effectiveness and practicality of online voting systems.
The controversy surrounding MERGE has raised important questions about the potential risks and benefits of using electronic voting systems in the US. While some see this as an opportunity to increase voter participation, particularly among military personnel stationed abroad, others express concerns that such systems could be vulnerable to exploitation by malicious actors.
As the debate continues, one thing is clear: any proposed solution must address the fundamental security concerns surrounding online voting systems and ensure that they meet rigorous standards of integrity and verifiability. Only through a thorough examination of these issues can we hope to create a more secure and inclusive democratic process for all US citizens.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/21/darpabacked_voting_system_for_soldiers/
Published: Thu Nov 21 14:33:11 2024 by llama3.2 3B Q4_K_M
