Rock the Vote

Critics and supporters of a new Pentagon-funded online voting system are digging in their heels in the debate over whether it should be scrapped over concerns that it's vulnerable to error and tampering. Now, a new dispute has developed not over the substance of the criticism, but the fact that it was aired at all.

On Jan. 20, a group of four computer scientists issued a report outlining potential information security risks associated with the Defense Department's Secure Electronic Registration and Voting Experiment (SERVE). The department plans to use the remote Internet voting system to allow some military personnel and U.S. civilians living abroad to vote electronically in the upcoming presidential election. But because of the security risks, the experts recommended that officials halt the voting experiment.

The Pentagon invited the report's authors, several of whom are well-known skeptics of electronic voting machines and Internet-based voting, to critique SERVE's technological design. But it now appears that Defense officials, as well as the contractors building SERVE, never expected the experts to publicly release a report on security concerns in advance of a fuller study of the program.

The computer experts said that running the SERVE software online makes it vulnerable to attacks by worms, viruses and other kinds of hacking. The scientists posted their findings at Quickly, though, lobbyists for the information technology industry, Pentagon officials and executives of the company leading SERVE's construction dismissed the experts' warnings as a "minority report," because they were not crafted by the full panel of 10 experts reviewing the voting system.

Avi Rubin, one of the report's authors, said that SERVE officials were well aware of the publicly skeptical stance he and others had taken with respect to the security and integrity of online voting systems. Rubin, an associate professor of computer science at Johns Hopkins University, and three other experts met twice to discuss their concerns, and decided between those two meetings to release a report focused solely on the security risks they perceived, said Barbara Simons, a co-author and a member of the Association for Computing Machinery. The other six SERVE reviewers didn't contribute to the final report because it focused on areas outside their expertise, Rubin and Simons said.

The Pentagon immediately distanced itself from the findings, saying, through a spokesman, that officials were confident in the security features that had been built into SERVE, and that they still planned to use it.

An executive with Accenture, which leads the team of SERVE designers, said the experts evaluated SERVE as if it were a full-fledged system serving a potential voter pool of 6 million Americans overseas. That was misleading, because the project will probably involve no more than 100,000 volunteers, an essentially controlled environment of test subjects, said Meg McLaughlin, president of Accenture's eDemocracy Services unit.

Last week, Accenture released a number of "inaccuracies" contained in the SERVE report, which they said hadn't been corrected before the report was released publicly. The experts only corrected the contested points and issued a final report after giving draft copies to some members of the media, McLaughlin said.

But Simons countered, "That's absolutely not correct." A draft copy was released exclusively to The New York Times before the group issued its final report, Simons said, but she noted that a final, corrected copy also was released, after Defense officials and Accenture noted which points they wanted changed.

The corrected report is online today, and is the version that several news outlets used in their reporting. The Times story, in fact, ran in the newspaper two days after Simons' group posted the updated report. The Washington Post and The Los Angeles Times published similar stories the same day.

It now appears that SERVE officials were eager from the beginning to keep the security experts' findings under wraps. Defense officials asked the group to sign a non-disclosure agreement, stipulating that they wouldn't discuss their opinions publicly, Rubin and Simon said. The group refused, and the department ultimately agreed to allow them to review SERVE without promising to stay silent.

While the war of words has heated up, the debate over SERVE's risks remains. For their part, the critics say that the Internet is so lacking in security that no online voting system can ever be immune from attacks.

McLaughlin doesn't disagree. But she points out that mail-in absentee ballots can be tampered with, too, that the online system allows users to double-check their ballots before submitting them, and that election officials on the receiving end can also recheck the ballots against master records the company will maintain at a physically and electronically secure facility.

McLaughlin said the SERVE project would proceed as planned. The small group of overseas voters will participate in the general election for president in November, and she said those from the seven states participating in the project may be able to vote online in their primaries, as well.

Rubin said he doesn't expect the Pentagon will ask for his input on SERVE in the future.

"It's pretty much out of our hands," he said, adding that, based on his history of speaking out against such projects, "I wonder why they even invited me."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.


When you download a report, your information may be shared with the underwriters of that document.