Tuesday, February 18, 2020

Microsoft New ElectionGuard Voting System

Building 83 on the Microsoft's massive Redmond, Washington, Headquarters, is the nameless structure hosting what might be the their most Important Product of 2020.

Tucked away in a corner, is a sign reading "ElectionGuard" identifies a Touchscreen that asks People to Cast their Votes. An Xbox Adaptive Controller is connected to it, as are an All-white Printer and a white Ballot Box for Paper Votes. If you didn't look carefully, you might have mistaken all that for an Array of Office Supplies.

ElectionGuard is Open-Source Voting Machine Hardware/Software that Microsoft announced in May 2019. In Microsoft's demo, Voters make their Choices by Touchscreen before Printing out Two Copies. A Voter is supposed to Double-Check One Copy before Placing it into a Secure Ballot Box to be Counted by Election Workers. The other is a Backup Record with a QR Code the Voter can use to Check that the Vote was Counted after Polls Close.

With ElectionGuard, Microsoft isn't setting out to Create an Un-Hackable Vote, but rather a Vote in which Hacks would be Quickly Noticed.

ElectionGuard addresses what has become a Crucial Concern in U.S. Democracy, the Integrity of the Vote. The Software is Designed to Establish End-to-End Verification for Voting Machines. A Voter can Check whether Their was Counted. If a Hacker had Managed to Alter their Vote, it would be Immediately Obvious, because Encryption Attached to the Vote would have Changed.

The Open-Source Software has been Available since last September. But Microsoft gets its First Real-World Test, when ElectionGuard is used in a Local Vote in Fulton, Wisconsin. The Local Election will provide Microsoft an Opportunity to find Blind Spots in the ElectionGuard system. The Question is how many it will find. During ElectionGuard's First Demo at the Aspen Security Forum last July, Microsoft Identified some User Experience Flaws. A Big one: Voters were Confused as to why Two Sheets of Paper were Printing Out.

"This is a critical, important part of why we're having this pilot," Tom Burt, Microsoft's Corporate Vice President for Customer Security and Trust, told a Group of Reporters at Building 83. "To find out, does this stuff all work? Do people verify? Do they do these things?"

Microsoft isn't alone in proposing Solutions to the Problem. Since 2016, many Tech Giants have rolled out programs aimed at buttressing trust in the system. Google's Advanced Protection Program for Political Campaigns Protects their Accounts from Basic Cyber-Attacks. Facebook has Plans to take on Disinformation Campaigns and Protect Campaigns that use the Social Network.

Microsoft is the First Major Tech Company to Directly Address Voting Machine Infrastructure, the Front Line of Election Security. But it isn't Promising that ElectionGuard Prevents Machines from being Hacked. Rather, it's Promising to make it Obvious if a Machine is Hacked. "This is not a system that cannot be hacked by an adversary. it is a system that is pointless for an adversary to hack," Burt said. "Even if they can figure out a way to somehow influence that or change that, it would be detected by the system, and you can go to the paper ballots and do a hand count if you needed to."

Microsoft is working with Fulton, a Small Wisconsin Town that has about 500 Registered Voters. The Vote is for the Town's School Board and a Local Judge. ElectionGuard will also serve as the Backup to Paper Ballots, rather than the Primary Voting method.

Burt said they hope to Learn how ElectionGuard gets used by Voters, Election Officials, and Poll Workers. The Wisconsin Elections Board decided in June 2019 to work with Microsoft on the Pilot, but the ElectionGuard system hasn't been Certified for Standard Use in the State, according to a Statement from the Wisconsin Elections Commission. "We hope this pilot test will give us further insights into how the system works and whether voters like it," said Meagan Wolfe, Administrator of the Wisconsin Elections Commission. "We can use this data as we try to make elections in Wisconsin even more secure, usable and accessible."

The Pilot is intended to be the First of many for Microsoft over the next few years. ElectionGuard won't be used for any Major Elections in 2020, the Company said. With so many Opportunities to bungle ElectionGuard's Roll-Out, and so few to redeem it, Microsoft is being careful with how it presents the Technology. "We're basically trying to test in a very controlled environment where the outcome of the election is in no way dependent on the technology," Burt said. "We just want to test, 'How does it work? What can we learn? What we need to change and improve?'"

ElectionGuard works through a Process known as "Homomorphic Encryption," a Concept First introduced in 1987 by Josh Benaloh, a Microsoft Research Senior Cryptographer. Your Vote is meant to be Private. Private Votes make Intimidation or Bribery Useless, since no one can Confirm you Voted a certain way. Microsoft's Encryption also keeps the Vote Secret by Converting Choices into Random Lines of Code until they're Decrypted. Votes shouldn't be Decrypted, however, since they're intended to stay Private. Homomorphic Encryption allows for Counting Votes while they remain Secret, according to Benaloh. "It's sort of structured gibberish," the Cryptographer said. "Yes, it's gibberish. Yes, you can't tell what it is. But it retains enough structure that you can actually work with it rather than just ungibberishing it." With ElectionGuard, Benaloh said, only the Final Tally should be Decrypted, not Individual Votes.

At Microsoft's Demo for its New system, R.C. Carter, the Company's Director of Strategic Projects, explained that ElectionGuard would run Parallel to Paper Ballots. After a Vote is Cast on the Touchscreen, the Digital Vote is Encrypted and Tallied. The Vote would also be Printed Out, Verified by the Voter, then Placed in a Secure Ballot Box next to it. The Printout would come with Two Sheets of Paper: One for the Ballot Box, and the other, which bears your Votes and a QR Code, to Serve as a Receipt to Verify your Vote Later Online.

Election Officials Count the Paper Ballots, the Usual and Most Secure Method. The Counted Paper Ballots are the Election Results, not those Submitted Digitally. The Count takes place Offline, after the Polls Closed. Once that happens, the Encrypted Votes are Collected as a .ZIP File that Anyone can Download and use to Verify the Votes. If something didn't Match Up, a Voter could Look at the Encrypted Vote to see if anything had been Tampered with. "If you can't stop the hack, the second-best thing is to know that you've been hacked," Carter said. "This is exactly what this does."

ElectionGuard addresses many Voting Machine Security concerns. But Not All of them. It's Open-Source, which means that it's Free and can be Adapted for any Machine. That helps Local Election Officials facing Budget Issues. It also allows Major Election Machine Makers to Implement it on their Hardware across the Board. Cutting through Red Tape surrounding Election Machines, however, is another Obstacle. Different States have Different Regulations on complying with the Election Assistance Commission (EAC), a U.S. Agency that develops Voting system Guidelines. Getting the EAC's Certification has become a Major Challenge for Election Security, Burt said.

Microsoft found that many Election Counties were using Outdated Windows Machines because EAC Guidelines required a Complete Re-Certification Process just to apply simple Security Patches, for example. Installing an Entirely New Voting system would be another hurdle for Certification, Burt said. "The process of certifying is incredibly slow and burdensome," Burt said. "What it really is going to require is a refresh of devices in the market. You can't take some old Windows 7 voting machine and download ElectionGuard and stick it in."

Another Human Error concern that Microsoft will have to Address is that People tend to Fail at Verifying their Own Votes, or even Reporting it when there's something Wrong. In a Study from the University of Michigan Published in January, 2020, Researchers found that only 6.6% of 241 Voters in a Mock Election told Poll Workers there was an Issue, despite All the Machines being Rigged to show Errors on the Printed-Out Vote. Without any Intervention, only 40% of the Voters actually Reported the Issue to the Voting Officials. And even if it were Reported, Election Security Experts don't expect much Recourse over Detected Errors.

"Being able to verify something is not a remedy if there's no recourse," said Harri Hursti, an Election Security Expert and Co-Founder of Defcon's Voter Hacking Village. "Most people don't want to do things twice. It's just human nature and human behavior."

Microsoft is hoping to Address the Non-Reporting Issue by Training the Poll Workers in Wisconsin to Prompt Voters to Check their Ballots Once they've been Cast. Poll Workers have to Sign Ballots before they're Cast, and that's when they'll also Tell Voters to Verify their Vote.

The University of Michigan Study found that Reporting Errors jumped from 6.6% to 85.7% when Poll Workers encouraged People to Check their Vote. "Being able to verify something is not a remedy if there's no recourse. Most people don't want to do things twice. It's just human nature and human behavior."

During Tests with Election Volunteers, Microsoft found that Small Adjustments like Changing the Color on Printouts could also be Effective. "One simple thing we've done that already looks like it's working super well in Wisconsin is the ballot comes out white, the verification code is going to be printed on a piece of yellow paper, just so you have that visual difference," Burt said, referring to test runs conducted last week with election volunteers.

Human Error isn't the only concern for ElectionGuard. Microsoft has put the system through a Bug Bounty Program. It also invited NCC Group, a Security Research Firm, to do an Independent Review of the Software last September. Researchers have Submitted Bug Bounties on ElectionGuard for Review, though Microsoft has yet to make any Payouts, Carter said. Microsoft is also working to change ElectionGuard's Core Programming Language from C, after NCC Group pointed to Vulnerability Issues.

If all goes well, Microsoft and ElectionGuard could change the way Votes are Counted and Verified around the World, introducing a New Layer of Security to Protect Democracies. The Company is considering possibilities of what could go Wrong and carefully Rolling-Out ElectionGuard in Pilot Tests in Smaller Elections over the next year. But other Adopters might not be so Cautious.

As an Open-Source Tool, it's Available to the World, and a Public Failure, something like the Iowa Caucuses App Debacle, could tarnish ElectionGuard's Image even if Microsoft had Nothing to do with it. "You've put your finger on a valid concern. I won't deny it," Microsoft's Benaloh said. "There is risk there. There is some subtlety to how to use it properly."

Burt said that Governments around the World have been Interested in using ElectionGuard, some for Countrywide Elections. "We just heard from a developer in a European country who's been contracted to build the ElectionGuard system for city elections," Burt said. "And we had no idea they were doing that. That's the nature of open-source projects. You put stuff up there and say, 'It's here for anyone to use.'"

Election Machines that go perfectly right in Testing and Demonstrations might experience Issues when used in the Real World. That's what Galois, a Government Contractor, learned when it brought DARPA's $10 Million Voting Machine to Defcon to see if Hackers could find Issues with its Security. An Unexpected Bug prevented the Machine from Working until the Last day.

Microsoft worked with Galois to help Develop ElectionGuard's Software as well. Joey Dodds, a Research Engineer at Galois, said the Open-Source Tool is still very much in a Testing Phase and he doesn't expect it to be Used in an Actual Election with Major Consequences until 2024 at the earliest. He acknowledged that ElectionGuard is Solving for a Small Part of Election Security, and that Hackers still have many ways to Meddle with Democracies. "It is not a complete solution for electronic voting without a backup," Dodds said. "It is not going to have anything to say about poll books, voter registration, anything that happens prior to ballot recording and casting. That's all going to require different approaches."

Even if the Technology behind Microsoft's ElectionGuard was Perfect, it would have to Deal with Motivated Disinformation Campaigns mixed with Human Error from All Sides: Voters, Poll Workers, and Third-Party Developers using the Open-source Tools.

"There are still plenty of opportunities to screw it up, but ElectionGuard gives you a framework to work forward," said Tod Beardsley, Director of Research at Security Firm Rapid7. "We'll see if it's actually implemented right."

NYC Wins When Everyone Can Vote! Michael H. Drucker

No comments: