EPIC v. DOD (E-voting Security Tests)

Top News

  • Obama Orders Review of Hacking During 2016 Election: President Obama's top homeland security advisor Lisa Monaco announced today that the Administration has asked the intelligence community to conduct a "full review" of cyber activity during the 2016 election. In 2016, EPIC urged candidates for office to focus on data protection, calling it "the most important, least well understood issue" of the 2016 election. EPIC also published a report on the importance of the secret ballot for democratic decision making. EPIC's Freedom of Information Act litigation uncovered flaws in online voting reported by the Department of Defense just prior to the 2012 election. (Dec. 9, 2016)
  • As Voters Go To Polls, EPIC Backs "Data Protection 2016," Secret Ballot: With voters heading to the polls for the 2016 Presidential election, EPIC has urged national focus on "data protection," calling it "the most important, least well understood issue" of this election season. Together with Common Cause and Verified Voting, EPIC also published a report on the importance of the secret ballot for democratic decision making. And EPIC's Freedom of Information Act litigation has uncovered flaws in online voting reported by the Department of Defense in a 2011 report. EPIC is non-partisan, educational organization and does not endorse candidates for public office. (Nov. 7, 2016)
  • More top news »
  • Report Outlines Security Challenges for Online Voting » (Jul. 17, 2015)
    A new report from the U.S. Vote Foundation concludes that no internet voting systems provide adequate security for public elections. The report recommends "end-to-end verifiable voting," which allows voters to confirm that their votes were recorded. The system would also verify that votes are correctly tabulated. EPIC has obtained FOIA documents from the Department of Defense regarding the functionality and reliability of an e-voting.
  • EPIC Obtains E-Voting Documents, Security Questions Remain Unanswered » (Apr. 3, 2015)
    As the result of a Freedom of Information Act lawsuit, EPIC has obtained a September 2011 report about online voting. The report, produced in response to EPIC's July 2014 FOIA request, summarizes a pilot test of e-voting system. The report recommends several changes, including accessibility and user interface, but does little to address privacy and security concerns except for recommending "visible security features" to "give users greater confidence in the privacy and security of their ballots." EPIC will continue to pursue the documents that have been withheld from the public about the risks of online voting.
  • EPIC Files FOIA Lawsuit For Reports on Electronic Voting Reliability » (Sep. 11, 2014)
    EPIC has filed a Freedom of Information Act lawsuit to obtain test reports about an online voting program promoted by the Department of Defense. The records sought relate to the functionality and security of electronic voting systems. The California Secretary of State, Members of Congress, and voting rights advocates have tried to obtain these documents, but DOD has kept them secret even after promising public disclosure in 2012. Computer scientists have long warned about the risks of electronic voting systems. In the complaint, EPIC states that "it is absolutely critical for the documents sought in this matter be disclosed prior to further deployment of e-voting systems in the United States." The case is EPIC v. Department of Defense, No 14-1555 (D.D.C. filed 9/11/2014). For more information, see EPIC: EPIC v. DOD - E-voting Security Tests.

Summary

EPIC sought under the FOIA, records relating to the Department of Defense's ("DOD") Federal Voting Assistance Program (“FVAP”), a program tasked with ensuring that Service members, their eligible family members and overseas citizens can vote from overseas. Specifically, EPIC sought records describing tests of the agency's e-voting systems.

Pursuant to EPIC's FOIA request and in response to EPIC's lawsuit, the DOD released to EPIC multiple responsive records. The agency released in January 2015, agency emails discussing e-voting systems. In March 2015, the agency released the "Operation Vote" Report, which "assess[ed] the usability, accessibility, and privacy of electronic voting systems." Finally, in April 2015 the agency released to EPIC, unredacted reports describing 1) a test of the agency's e-voting system and 2) a penetration test of a simulated election. The agency also created a DOD webpage describing and linking to these reports.

Background

On July 17, 2014, EPIC filed a Freedom of Information Act ("FOIA") request with the Department of Defense ("DOD") for documents concerning the DOD's Federal Voting Assistance Program, including records related to functionality and security of electronic voting systems. The Federal Voting Assistance Program ("FVAP") is administered by the DOD and is tasked with ensuring that Service members, their eligible family members and overseas citizens are aware of their right to vote and have the tools and resources to vote from around the world.

Computer scientists have long expressed concern about the reliability, security, and integrity of e-voting. E-voting "not only entails serious security risks, but also requires voters to relinquish their right to a secret ballot." See e.g. Douglas W. Jones and Barbara Simons, Broken Ballots: Will Your Vote Count? 291 (2012).

In 2010 the FVAP launched the Electronic Voting Support Wizard program and for 2011/2012, the subsequent Electronic Absentee Systems for Elections ("EASE") grants to the States to enable online ballot marking "wizards" and online voting systems for mock elections. While the Request for Proposal for the EASE grants stated that these systems are not to be used for the online return of voted ballots in real elections, the systems in question can in fact enable such options for mock elections. Further, the systems' architecture allows them to be configured to allow electronic return of voted ballots if the states choose to permit that.

In 2010 the FVAP launched the Electronic Voting Support Wizard ("EVSW") program in 17 states. The EVSW program encouraged eligible voters to view their individual ballot electronically, cast votes online, and then print out the ballot and return it by mail.

In 2011 FVAP requested $39M to study online voting. In the budget request to Congress, DOD wrote "Funds will complete the kiosk-based system testing evaluation of results, and support similar tests on remote PC-based systems."

FVAP then launched the Electronic Absentee Systems for Elections ("EASE"), a pilot program to promote online voting. The EASE Request for Proposal stated that the grants were not to be used for ballots in real elections. Many of the systems funded with EASE grants may be enabled to return marked ballots via email or digital fax over the Internet with no additional cost or programming.

At a public hearing in 2011, FVAP discussed "FVAP Technical Initiatives and Standards Development Assistance" and announced a program to include "[Voting System Testing Laboratory] Testing for Uniformed and Overseas Citizens Absentee Voting Act ("UOCAVA") Systems,” and “Penetration Testing."

Later in 2011, the FVAP deputy director stated publicly "We also did voting system test laboratory testing against the UOCAVA pilot program testing requirements to give us an assessment moving forward and perhaps provide some additional context as to where we are when it comes to security and overall usability of these systems as we move forward with standards to support the electronic voting demonstration project. And then lastly of the completed objectives so far we also did penetration testing on those same systems, the electronic voting support Wizard as well as those systems that originally are (unintelligible) for Internet voting." When asked if the tests of the online voting systems that the FVAP were funding would be made public, the FVAP deputy director responded, "Not publicly available as of yet but it will be publicly available."

On August 13, 2012, California Secretary of State Bowen wrote to FVAP and requested the results of its tests of the FVAP online ballot marking systems. Secretary Bowen wrote, "California and the state's military and overseas voters that may use such a system would benefit from being able to examine the results of any testing of ballot marking wizards arranged, paid for, or conducted by FVAP." On September 25th 2012 FVAP responded to Secretary Bowen that "the information and analysis being developed from this research is not yet ready to be released."

In a 2012 Congressional Hearing on the FVAP before the House Subcommittee on Military Personnel of the Committee on Armed Services, Representative Susan Davis (D-CA) and Pamela Mitchell, Acting Director of FVAP, discussed the FVAP tests for online ballots and Internet voting systems.

    Mrs. Davis: In 2011, the Federal Voting Assistance Program ("FVAP") arranged for the voting system testing laboratories to perform functionality and security testing on both online ballot marking systems and Internet voting systems. The results of these tests were to be made available to the public but as we rapidly approach the 2012 elections, these reports have yet to be published. These online ballot marking systems will be used in States across the country in the November elections, and election administrators could benefit from the results of these reports. What are FVAP’s plans for releasing these test reports?

    Ms. Mitchell: These tests are at different stages of ongoing review. The early release of these results without a full vetting of issues and a thorough assessment would lead to incomplete and potentially inaccurate results. The first of the assessments will be released in December 2012, with all of the assessments being released by the end of the 2nd quarter.

EPIC's Interest

EPIC has a long history of working on voter privacy and vote integrity issues, which E-voting directly affects.

In 2010, EPIC released an update to its "E-Deceptive Campaign Practices: Technology and Democracy 2.0" report, first published in 2008. The report reviewed the potential for abuse of Internet-based technology in the election context, and made recommendations on steps that should be taken by Election Administrators, voters, and those involved in Election Protection efforts. E-Deceptive campaigns are internet-based attempts to misdirect targeted voters regarding the voting process, and include false statements about poll place hours, election dates, voter identification rules, or voter eligibility requirements.

In 2009, EPIC recommended greater transparency on the standards development process to the Election Assistance Commission ("EAC"). The agency sought public comments on a draft of the agency's Voluntary Voting System Guidelines. In its comments, EPIC requested that the EAC follow President Obama's directive to all federal government agencies that they take affirmative steps to make their activities regarding standards development more transparent to the public, make ballot secrecy a critical component of federal voting technology standards, and maintain software independence in the next iteration of voting technology standards.

In 2008, EPIC submitted comments to the Election Assistance Commission on the proposed Voluntary Voting System Guidelines. EPIC proposed new guidance on privacy protection in the casting of ballots. EPIC also recommended more transparency for the privacy protections provided by federally certified voting systems.

Additionally, EPIC testified before the Election Assistance Commission on the 2007 Voting System Guidelines. EPIC urged the Commission to "offer clear and effective guidance to states on issues of functional capability, hardware, software, telecommunication, security, quality assurance, and configuration of voting systems."

The secrecy and the security of the vote are integral to America's voting system, and both are threatened by online voting. Cyber security experts at the National Institute of Standards and Technology have stated that “additional research and development is needed… before secure Internet voting will be feasible.” In 2012 a top cybersecurity official at the Department of Homeland Security stated that “it's premature to deploy Internet voting in real elections at this time.” Internet voting systems cannot be properly fully secured and create the possibility of undetectable alteration of ballots. Because of ballot secrecy, individual voters are unable to verify that their votes were properly cast. Online voting is thereby particularly susceptible to undetectable hacking and tampering.

Additionally, anonymity is a fundamental aspect of voting rights in the U.S. Online voting, however, makes simultaneous audit ability and anonymity in the voting process extremely difficult to implement.

Finally, online voting requires the use of databases which are likely to include sensitive personal information, the security of which is untested and unclear.

EPIC's Freedom of Information Act Request

On July 17, 2014, EPIC submitted a FOIA request asking for:

  • 1) FVAP Voting System Testing Laboratory Functionality and Security Testing;
  • 2) VSTL Functionalist and Security Testing;
  • 3) Penetration Testing of Simulated Election;
  • 4) All other documents regarding system functionality and security testing of online ballots and internet voting systems.

Freedom of Information Act Documents

DOD's First Interim Release (Jan. 28, 2015)

DOD's Second Interim Release (Mar. 26, 2015)

DOD Final Release (Apr. 28, 2015)

  • DOD Webpage for VSTL and PEN Test Reports
  • Legal Documents for EPIC v. DOD (Sept. 11, 2014)

    Related Documents

    News Items

    Share this page:

    Support EPIC

    EPIC relies on support from individual donors to pursue our work.

    Defend Privacy. Support EPIC.

    #Privacy