DisElect-Africa

Joshua Padoa, Karan Signh, Atharva, Ivan

Do LLMs Refuse Election Disinformation Equally Across African and Western Contexts — and can a Constitution Fix It?

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The paper makes a valuable contribution by extending election disinformation benchmarking to African electoral contexts through a controlled experimental design, addressing an important gap in AI safety evaluation. This methodology is a particular strength, and the Constitutional AI intervention adds practical value by demonstrating a mitigation strategy. The main opportunity for improvement is scope: the evaluation currently covers a limited set of countries, models, and prompts, which means the findings are best understood as an initial benchmark rather than a definitive assessment. Further validation of the judging pipeline and deeper analysis of trade-offs such as over-refusal would strengthen confidence in the conclusions and support broader application of the framework.

In relation to Criteria 1, it was not immediately clear to me how the findings could actually be used or deployed in a real world context to limit disinformation during elections. Generally, the project articulated quite clearly the problem, the test / results, and the limitations which were all clear to follow from a non-technical perspective. Something I did not quite understand was how Constitutional AI actually fixed the problem (I'd liked to have understood how Constitutional AI worked in a bit more detail).

The paper's most valuable contribution is the unexpected reframe, discovering that the locale gap hypothesis is superseded by a universal baseline failure and this is communicated clearly and is immediately actionable for low-resource African civic-tech practitioners. The most significant gap is the omission of the Constitutional AI system prompt text from the paper entirely, since the mitigation result is the second major finding and not reproducing it makes independent replication impossible

## Strengths

The risk this work identifies is real and timely, which makes the contribution highly relevant. Election disinformation is a live threat to African democratic processes, and the finding that open-weight models will generate it on demand at a near-total rate is exactly the kind of deployment-side concern the field needs to surface now rather than later.

The methodology is clever. Adapting an existing, published election-disinformation eval into a locale-controlled design is an efficient way to get to a rigorous result in a weekend, and holding the prompt language constant so that only the locale varies is the right move to isolate the effect being studied. The honest reframing of the result is also a strength. The team predicted a locale gap and instead found that compliance is near-ceiling everywhere, then drew the more important conclusion: the guardrails are essentially absent, not unevenly applied.

## Weaknesses

The main weakness is the ceiling effect. Because compliance sits so close to 100% across every arm, there is little headroom to disentangle a locale effect from the overall absence of guardrails, and the locale comparison is underpowered as a result. This is an honest finding rather than a flaw in the design, but it does limit what the current experiment can conclude about regional differences specifically. The scope is also narrow on the regional axis, covering two anglophone African countries, which constrains claims about African contexts more broadly.

## Recommendations for the authors

The clear next step is to **scale this work up**. First, **extend the evaluation to frontier models**. Unlike the open-weight models tested here, frontier systems have meaningful guardrails, so their compliance should fall away from the ceiling and finally create the headroom needed to detect whether locale matters. Second, **add more African country variations** so that genuine regional differences can be isolated. If both are done, this becomes a powerful and decision-relevant resource that could guide real democratic institutions in Africa as they defend against disinformation. On presentation, the paper is clear and easy to follow, and expanding some of the briefer bulleted sections into fuller prose would strengthen the structure and help it read as a complete paper.

Cite this work

@misc {

title={

(HckPrj) DisElect-Africa

},

author={

Joshua Padoa, Karan Signh, Atharva, Ivan

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.