Three years later, Pentagon unit still hides Internet voting test results

A nonprofit watchdog group is suing an obscure Defense Department unit over its failure for three years to disclose the results of testing on the security safeguards of Internet voting systems that are increasingly being used to cast absentee ballots.

The Pentagon unit, the Federal Voting Assistance Program, has effectively bankrolled many states’ shift to online voting, disbursing tens of millions of dollars in grants for the purchase of equipment that includes Internet balloting options.

Its actions have drawn consternation from cyber experts, who have warned for years that Internet voting is an easy target for hackers who could tamper with or even fix election results. The government’s premier technology testing agency also has refused to endorse these systems.

Now, on the eve of another federal election in which at least 31 states plan to use some form of online voting, the Electronic Privacy Information Center is pressing a Freedom of Information Act lawsuit demanding disclosure of the test results so it can disseminate the information nationwide.

In a statement to McClatchy, the Federal Voting Assistance Program said it expects to release the results in 2015. Because they “contribute to the larger, ongoing decision-making process” regarding the agency’s congressional mandate to conduct a demonstration project on electronic voting, it said, the test results are deemed “pre-decisional” and currently are exempt from disclosure.

The case, filed on Sept. 11 in the U.S. District Court for the District of Columbia, marks the latest skirmish in a long-simmering clash over the role of the Pentagon unit, whose primary task is to facilitate absentee voting by troops and other Americans living overseas.

The Pentagon unit said it conducted the tests for use by a separate agency, the U.S. Election Assistance Commission, which is attempting to set standards for Internet voting systems. But a shortage of appointed commissioners has stalled that agency’s progress, and so the Pentagon agency said it is preparing to release the test results on its own.

The agency has walked a fine line since Congress declined in a 2005 law to endorse electronic voting systems until it receives assurance from the National Institute of Standards and Technology that they are secure and reliable.

In 2012, the last time the standards agency weighed in on the subject, it concluded that Internet voting systems “cannot currently be audited” with confidence because, unlike most electronic voting systems at polling places across the nation, there is no verifiable paper trail.

As a result, it said, “additional research and development is needed to overcome these challenges before secure Internet voting will be feasible.”

In an earlier statement, the institute said in 2011 that it would be “difficult to mitigate” malicious software attacks on voters’ personal computers, which are outside the control of election officials. While each such attack could only impact one vote, it said, “attackers have demonstrated an ability to infect a large number of clients, and thus client-side attacks have the ability to have a large-scale impact.”

Officials at the Federal Voting Assistance Program have said they do not advocate online voting but support the use of systems that allow absentee voters to mark their ballots on computer screens and then print them for mailing.

However, vendors that peddle those systems to state agencies have included options for Internet voting, and some state legislatures have approved its use. At least two vendors, San Diego-based Everyone Counts and Toronto-based Dominion Voting, have said in pitches to state agencies that their products passed the still-secret 2011 independent tests arranged by the Pentagon.

The testing protocols, however, could be called into question because no government agency has formally established test standards.

In seeking $39 million from Congress in 2011, the Federal Voting Assistance Program said that it would conduct tests on various online systems, including those allowing for absentee voters to cast ballots at overseas kiosks and systems in which votes could be emailed or otherwise transmitted via personal computers.

In its suit, the Electronic Privacy Information Center cited a series of public statements in which officials of the Pentagon unit pledged in the past to publicly disclose the results of their tests by certified testing laboratories.

In 2012, acting chief Pamela Mitchell of the Voting Assistance Program responded to written questions from Congress by advising that “the first assessments will be released in December 2012, with all of the assessments being released by the end of the second quarter (of 2013).”