Reading headlines, it might surprise some that the United States is not the only country with serious voting technology challenges. In fact, recent years have seen issues in India, Africa, and Latin America; technical experts have examined some of those systems and found them lacking. Today, I’m pleased to report that The Sentry – an NGO that works to prevent genocide and mass atrocities in Africa – released a detailed analysis (full report PDF) of the new system slated for use in the upcoming elections in the Democratic Republic of the Congo (DRC). The Sentry worked with Argentinian security researchers Javier Smaldone (@mis2centavos) and Alfredo Ortega (@ortegaalfredo) and myself to examine what little public information is available about this system. The verdict is not good.
These awesome Argentinian researchers, it turns out, had an opportunity to examine an earlier version of this system, also from South Korean company Miru, in 2016. At that time, they were able to show how completely insecure the Miru system was, including: publicly posted cryptographic keys allowing total modification of the system or vote data; radio transmission of each ballot, which was easily intercepted; and using chips embedded in each paper ballot (RFID tags) to load many more than one vote per ballot. Argentina stopped the procurement and legislative authorization process to obtain these machines shortly after the security researchers publicly presented these flaws to Argentinian legislators.
Fast forward to now: DRC has purchased 105,000 of these machines from Miru at a cost of US $130 million for use in their December 18 presidential election. As detailed in the report released today, the DRC machines appear to be the same machines that Miru attempted to sell to Argentina. In addition, this same company provided equipment to Iraq for their recent election, for which there will be a full recount of 11 million votes due to alleged machine irregularities.