Voting on Your Phone: New Elections App Ignites Security Debate

Published February 13, 2020
By ZatKrSA

For greater than a decade, it has been an elusive dream for election officers: a smartphone app that may let swaths of voters solid their ballots from their residing rooms. It has additionally been a nightmare for cyberexperts, who argue that no expertise is safe sufficient to belief with the very foundation of American democracy.

The controversy, lengthy a sideshow at educational conferences and state election places of work, is now taking on new urgency. A start-up known as Voatz says it has developed an app that may enable customers to vote securely from anyplace on the earth — the electoral model of a moonshot.

Hundreds are set to make use of the app on this yr’s elections, a small however rising experiment that might pave the best way for a wider acceptance of cell voting.

However the place optimists see a extra engaged voters, critics are warning that the transfer is dangerously irresponsible. In a brand new report shared with The New York Instances forward of its publication on Thursday, researchers on the Massachusetts Institute of Know-how say the app is so riddled with safety points that nobody needs to be utilizing it.

In response to the report, the Division of Homeland Security organized a sequence of briefings in current weeks for state and native officers who’re planning to make use of Voatz’s expertise.

“The selection right here will not be about turnout,” the report says, “however about an adversary controlling the election consequence and a lack of voter privateness.”

With safety already
a dominant theme of the 2020 elections, final week’s debacle on the Democratic caucuses in Iowa — an app used to report outcomes did not, properly, report outcomes — has raised new questions concerning the function expertise ought to play in American elections and prompted requires it to be scaled again.

Whereas a return to the analog days of punch playing cards and hanging chads is unlikely, there may be rising unease about how far state and native governments ought to go in modernizing election infrastructure — from registration databases and digital ballot books to the voting machines themselves.

On the far fringe of that debate are programs that permit customers solid their ballots over the web, together with the platform constructed by Voatz, the one voting app on the market.

An preliminary experiment with wide-scale on-line voting befell in Washington a decade in the past. It was known as off after researchers hacked into the system, electing HAL 9000 — the pc from “2001: A House Odyssey” — as mayor and making the College of Michigan struggle music play each time a poll was solid.

Since then, some states have allowed on-line voting by means of net portals, emails or digital faxes, regardless of the safety dangers.

However they’ve restricted it to teams of people that can’t make it to the polls, principally abroad navy personnel.

Voatz says its expertise has overcome the safety issues by means of biometrics and different measures constructed into newer smartphones, in addition to a back-end system that information and shops votes on a blockchain, the expertise underpinning Bitcoin. It additionally says its platform creates a paper path for election officers and the voters utilizing the app.

Since its debut in 2018, Voatz has run a number of pilot tasks aimed largely at deployed service members, tallying about 600 votes throughout federal elections in Denver, West Virginia and 5 counties in Oregon, Utah and Washington State.

Now, it’s poised to broaden its attain within the presidential election as quite a few extra states think about whether or not to make use of it for some classes of absentee voters.

West Virginia, for example, is planning to make use of the app to fulfill new necessities that it discover a manner to verify the disabled and infirm can take part, a transfer that’s seemingly so as to add 1000’s of voters this yr.

Till now, safety specialists have targeted criticism on what they described as Voatz’s opaque programs, which make it not possible to confirm its safety claims.

Beneath that criticism, there may be additionally some very actual animus — many within the tightly knit cybersecurity group blame Voatz for serving to spur an F.B.I. investigation of a College of Michigan graduate pupil who tried to breach the corporate’s programs in 2018. The scholar says he was conducting analysis.

Within the new paper, the M.I.T. researchers, Michael A. Specter, James Koppel and Daniel J. Weitzner, transcend hypothesis and element how they discovered critical safety points by reverse-engineering Voatz’s app and recreating what they may of the corporate’s server from publicly accessible data.

Flaws within the app, the report says, would let attackers monitor votes being solid — and would possibly even enable them to vary ballots or block them with out customers’ information.

Maybe the largest threat, based on the researchers, is that the assaults might create a tainted paper path, making a dependable audit not possible.

They pointed to the issues in Iowa caucuses as an instructive instance. Although these issues have been attributable to technical faults, not a safety breach, officers in Iowa have needed to tally votes by means of paper backups, a few of which aren’t full. Greater than every week later, a definitive consequence has but to emerge.

“Think about that on a nationwide scale,” Mr. Specter stated in an interview.

The researchers took their findings to the Division of Homeland Security in January, setting off a course of by means of which Voatz was made conscious of the analysis and election officers who use the platform have been briefed.

In a press release, Homeland Security stated that whereas nobody was identified to have exploited the issues discovered by the researchers, “we are going to proceed to work with our companions to deepen understanding of the danger.”

Voatz, which has reviewed the report, strenuously objected to the researchers’ claims, saying in a press release that the researchers acted in dangerous religion, used an outdated model of the app and “fabricated an imagined model” of the servers.

The corporate stated that its 9 earlier elections had gone off with out incident, and argued that its pilot tasks had pushed “innovation ahead in a accountable, clear manner.”

The corporate is backed by Bradley Tusk, a enterprise capitalist and philanthropist. In an interview final yr with Harvard Enterprise Evaluate, he additionally brushed apart safety issues. “It’s not that cybersecurity individuals are dangerous individuals per se,” he stated. “It’s that they’re fixing for one scenario, and I’m fixing for one more.”

Caught within the back-and-forth between Voatz and the researchers are election officers who should quickly decide on whether or not to make use of the app this yr. At the very least one Voatz shopper, Mason County, Wash., has already pulled out, citing worry of media blowback.

Others say they’re urgent forward with plans to make use of Voatz.

The app “will not be excellent — nothing is — and safety is all the time a priority for us,” stated Donald Kersey, a senior election official in West Virginia. “However that is about utilizing new applied sciences that give us a manner to verify individuals who possibly can’t all the time vote have that chance.”