EPIC v. DOD (E-voting Security Tests)
US District Court for the District of Columbia
EPIC sought under the FOIA, records relating to the Department of Defense’s (“DOD”) Federal Voting Assistance Program (“FVAP”), a program tasked with ensuring that Service members, their eligible family members and overseas citizens can vote from overseas. Specifically, EPIC sought records describing tests of the agency’s e-voting systems.
Pursuant to EPIC’s FOIA request and in response to EPIC’s lawsuit, the DOD released to EPIC multiple responsive records. The agency released in January 2015, agency emails discussing e-voting systems. In March 2015, the agency released the “Operation Vote” Report, which “assess[ed] the usability, accessibility, and privacy of electronic voting systems.” Finally, in April 2015 the agency released to EPIC, unredacted reports describing 1) a test of the agency’s e-voting system and 2) a penetration test of a simulated election. The agency also created a DOD webpage describing and linking to these reports.
On July 17, 2014, EPIC filed a Freedom of Information Act (“FOIA”) request with the Department of Defense (“DOD”) for documents concerning the DOD’s Federal Voting Assistance Program, including records related to functionality and security of electronic voting systems. The Federal Voting Assistance Program (“FVAP”) is administered by the DOD and is tasked with ensuring that Service members, their eligible family members and overseas citizens are aware of their right to vote and have the tools and resources to vote from around the world.
Computer scientists have long expressed concern about the reliability, security, and integrity of e-voting. E-voting “not only entails serious security risks, but also requires voters to relinquish their right to a secret ballot.” See e.g. Douglas W. Jones and Barbara Simons, Broken Ballots: Will Your Vote Count? 291 (2012).
In 2010 the FVAP launched the Electronic Voting Support Wizard program and for 2011/2012, the subsequent Electronic Absentee Systems for Elections (“EASE”) grants to the States to enable online ballot marking “wizards” and online voting systems for mock elections. While the Request for Proposal for the EASE grants stated that these systems are not to be used for the online return of voted ballots in real elections, the systems in question can in fact enable such options for mock elections. Further, the systems’ architecture allows them to be configured to allow electronic return of voted ballots if the states choose to permit that.
In 2010 the FVAP launched the Electronic Voting Support Wizard (“EVSW”) program in 17 states. The EVSW program encouraged eligible voters to view their individual ballot electronically, cast votes online, and then print out the ballot and return it by mail.
In 2011 FVAP requested $39M to study online voting. In the budget request to Congress, DOD wrote “Funds will complete the kiosk-based system testing evaluation of results, and support similar tests on remote PC-based systems.”
FVAP then launched the Electronic Absentee Systems for Elections (“EASE”), a pilot program to promote online voting. The EASE Request for Proposal stated that the grants were not to be used for ballots in real elections. Many of the systems funded with EASE grants may be enabled to return marked ballots via email or digital fax over the Internet with no additional cost or programming.
At a public hearing in 2011, FVAP discussed “FVAP Technical Initiatives and Standards Development Assistance” and announced a program to include “[Voting System Testing Laboratory] Testing for Uniformed and Overseas Citizens Absentee Voting Act (“UOCAVA”) Systems,” and “Penetration Testing.”
Later in 2011, the FVAP deputy director stated publicly “We also did voting system test laboratory testing against the UOCAVA pilot program testing requirements to give us an assessment moving forward and perhaps provide some additional context as to where we are when it comes to security and overall usability of these systems as we move forward with standards to support the electronic voting demonstration project. And then lastly of the completed objectives so far we also did penetration testing on those same systems, the electronic voting support Wizard as well as those systems that originally are (unintelligible) for Internet voting.” When asked if the tests of the online voting systems that the FVAP were funding would be made public, the FVAP deputy director responded, “Not publicly available as of yet but it will be publicly available.”
On August 13, 2012, California Secretary of State Bowen wrote to FVAP and requested the results of its tests of the FVAP online ballot marking systems. Secretary Bowen wrote, “California and the state’s military and overseas voters that may use such a system would benefit from being able to examine the results of any testing of ballot marking wizards arranged, paid for, or conducted by FVAP.” On September 25th 2012 FVAP responded to Secretary Bowen that “the information and analysis being developed from this research is not yet ready to be released.”
In a 2012 Congressional Hearing on the FVAP before the House Subcommittee on Military Personnel of the Committee on Armed Services, Representative Susan Davis (D-CA) and Pamela Mitchell, Acting Director of FVAP, discussed the FVAP tests for online ballots and Internet voting systems.
Mrs. Davis: In 2011, the Federal Voting Assistance Program (“FVAP”) arranged for the voting system testing laboratories to perform functionality and security testing on both online ballot marking systems and Internet voting systems. The results of these tests were to be made available to the public but as we rapidly approach the 2012 elections, these reports have yet to be published. These online ballot marking systems will be used in States across the country in the November elections, and election administrators could benefit from the results of these reports. What are FVAP’s plans for releasing these test reports?
Ms. Mitchell: These tests are at different stages of ongoing review. The early release of these results without a full vetting of issues and a thorough assessment would lead to incomplete and potentially inaccurate results. The first of the assessments will be released in December 2012, with all of the assessments being released by the end of the 2nd quarter.
EPIC has a long history of working on voter privacy and vote integrity issues, which E-voting directly affects.
In 2010, EPIC released an update to its “E-Deceptive Campaign Practices: Technology and Democracy 2.0” report, first published in 2008. The report reviewed the potential for abuse of Internet-based technology in the election context, and made recommendations on steps that should be taken by Election Administrators, voters, and those involved in Election Protection efforts. E-Deceptive campaigns are internet-based attempts to misdirect targeted voters regarding the voting process, and include false statements about poll place hours, election dates, voter identification rules, or voter eligibility requirements.
In 2009, EPIC recommended greater transparency on the standards development process to the Election Assistance Commission (“EAC”). The agency sought public comments on a draft of the agency’s Voluntary Voting System Guidelines. In its comments, EPIC requested that the EAC follow President Obama’s directive to all federal government agencies that they take affirmative steps to make their activities regarding standards development more transparent to the public, make ballot secrecy a critical component of federal voting technology standards, and maintain software independence in the next iteration of voting technology standards.
In 2008, EPIC submitted comments to the Election Assistance Commission on the proposed Voluntary Voting System Guidelines. EPIC proposed new guidance on privacy protection in the casting of ballots. EPIC also recommended more transparency for the privacy protections provided by federally certified voting systems.
Additionally, EPIC testified before the Election Assistance Commission on the 2007 Voting System Guidelines. EPIC urged the Commission to “offer clear and effective guidance to states on issues of functional capability, hardware, software, telecommunication, security, quality assurance, and configuration of voting systems.”
The secrecy and the security of the vote are integral to America’s voting system, and both are threatened by online voting. Cyber security experts at the National Institute of Standards and Technology have stated that “additional research and development is needed… before secure Internet voting will be feasible.” In 2012 a top cybersecurity official at the Department of Homeland Security stated that “it’s premature to deploy Internet voting in real elections at this time.” Internet voting systems cannot be properly fully secured and create the possibility of undetectable alteration of ballots. Because of ballot secrecy, individual voters are unable to verify that their votes were properly cast. Online voting is thereby particularly susceptible to undetectable hacking and tampering.
Additionally, anonymity is a fundamental aspect of voting rights in the U.S. Online voting, however, makes simultaneous audit ability and anonymity in the voting process extremely difficult to implement.
Finally, online voting requires the use of databases which are likely to include sensitive personal information, the security of which is untested and unclear.
EPIC’s Freedom of Information Act Request
On July 17, 2014, EPIC submitted a FOIA request asking for:
- 1) FVAP Voting System Testing Laboratory Functionality and Security Testing;
- 2) VSTL Functionalist and Security Testing;
- 3) Penetration Testing of Simulated Election;
- 4) All other documents regarding system functionality and security testing of online ballots and internet voting systems.
Freedom of Information Act Documents
- EPIC’s FOIA Request to the DOD (Jul. 17, 2014)
- DOD’s Acknowledgment Letter (Jul. 31, 2014)
- DOD Response Letter (Jan. 28, 2015)
DOD’s First Interim Release (Jan. 28, 2015)
DOD’s Second Interim Release (Mar. 26, 2015)
- Operation Vote Report (Sept. 16, 2011)
DOD Final Release (Apr. 28, 2015)
Legal Documents for EPIC v. DOD (Sept. 11, 2014)
- Complaint (Sept. 11, 2014)
- Answer (Nov. 4, 2014)
- Joint Status Report (Sept. 11, 2014)
- Order Modifying Briefing Schedule (Apr. 8, 2015)
- Consent Motion to Modify Schedule (May 27, 2015)
- Defendant’s Notice of Settlement and Motion to Vacate All Deadlines (June 29, 2015)
- Joint Stipulation of Dismissal (July 13, 2015)
- Defense Dept.: Federal Voting Assistance Program
- Catalogue of Federal Domestic Assistance, Department of Defense, EASE Grants
- Testimony of Pamela Smith, President, Verifiedvoting.org 2012 Hearing on the Federal Voting Assistance Program before the House Subcommittee on Military Personnel of the Committee on Armed Services, Sept. 13, 2012.
- Michael Keller, Latest Internet voting reports show failures across the board, Al Jazeera America, Oct. 8, 2014
- Nancy Scola, Privacy advocates sue Pentagon over Internet voting test results, Washington Post, Oct. 2, 2014
- Tal Kopan, DoD won’t release e-voting penetration tests, Politico, Jun. 16, 2014.
- Verified Voting Blog: Statement on the Dangers of Internet Voting in Public Elections, Verified Voting Blog Post, Feb. 15, 2013.
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.Donate