CORRECTION (Feb. 21, 21:50 UTC): Because of inaccurate information provided by the West Virginia Secretary of State’s office, an earlier version of this article misdescribed the subject document as a declassified DHS report. It is a summary published by Voatz of a still-classified DHS report.
The Department of Homeland Security (DHS) found a number of security vulnerabilities in Voatz’s technical infrastructure during a cybersecurity audit of the mobile voting app vendor’s Boston headquarters, according to a newly declassified report obtained by CoinDesk.
However, the DHS report, conducted by a Hunt and Incident Response Team with the department’s Cybersecurity and Infrastructure Security Agency (CISA) also determined Voatz had no active threats on its network during the week-long operation, conducted in September. It developed a series of recommendations to further boost Voatz’s security. Voatz has since addressed those recommendations.
The CISA report was shared with CoinDesk hours after a technical paper by MIT researchers claimed to detail a number of major vulnerabilities in the Medici-backed Voatz’s app, including allegations the app leaves voters’ identities open to adversaries and that ballots can be altered.
The MIT report, published Thursday by graduate students Michael Specter and James Koppel and principal research scientist Daniel Weitzner, further alleges the app has limited transparency, a claim also raised by a number of security researchers.
“Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections,” the MIT researchers said in the report.
However, the CISA audit, which focuses less on the app itself and more on Voatz’s internal network and servers, draws a different conclusion. The DHS investigators wrote that while they found some issues that could pose future concerns to Voatz’s networks, overall the team “commends Voatz for their proactive measures” in monitoring for potential threats.
The two reports paint contrasting pictures of how the company, whose app has been used in pilot programs and live elections in West Virginia, Colorado and Utah, approaches voting security. Further, at least one election official overseeing the Voatz app rollout believes the MIT study is missing data in its evaluation.
The MIT researchers did not return a request for comment by press time.
The MIT report relies on a reverse engineering of the Voatz app and reimplemented “clean room” server, according to the researchers, who did not interact with Voatz’s live servers or its purported blockchain back end.
They found privacy vulnerabilities and a wealth of potential avenues for attack in the app. Adversaries could infer user vote choice, corrupt the audit trail and even change what appeared on the ballot, the researchers said.
The researchers’ findings and faults did not focus on Voatz’s use of a blockchain, at least in part because they did not have access to the permissioned blockchain on which Voatz is said to store and authenticate votes. Instead, they report the Voatz app never submits vote information to any “blockchain-like system.”
Criticizing Voatz’s lack of transparency, the researchers further argued the company’s “black box” approach to public documentation could, in tandem with the bugs, erode public trust.
“The legitimacy of the government relies on scrutiny and transparency of the democratic process to ensure that no party or outside actor can unduly alter the outcome,” the report said.
Ultimately, the researchers recommended elected officials “abandon” the app outright.
“It remains unclear if any electronic-only mobile or Internet voting system can practically overcome the stringent security requirements on election systems,” they said.
But Amelia Powers Gardner, a Utah County, Utah, election auditor who supervised her county’s rollout of the Voatz system for disabled voters and service members deployed overseas, told CoinDesk that at least some of the bugs the researchers found cannot be exploited in practice.
“[The researchers] weren’t able to substantiate these claims because they were never able to actually connect to the Voatz server,” Powers Gardner said. “So in theory they claim that they may have been able to do these things, and only on the Android version, not the Apple version.”
She said the MIT researchers’ effort comes from “what ifs, and perhaps, and maybes that, frankly, just haven’t panned out,” and that the app had since been patched.
For Powers Gardner, Voatz’s benefits far outweigh any security risks. She said the software is a far better alternative for otherwise disenfranchised voting groups than the current technological solution: email.
“While these concerns of around mobile loading can be valid, they don’t rise to a level of security that causes me to even question the use of the mobile app,” she said.
John Sebes, co-founder and chief technology officer of the Open Source Election Technology Institute, said a number of the researchers’ concerns still stand, despite Powers Gardner’s claims.
Election officials and computer scientists live in very different worlds, and therefore may not see eye to eye, he said. However, he added, computer science researchers do not need to understand an election official’s world to be able to assess a software vendor’s claims.
“We can’t validate Voatz’s claims that newer versions were better, but it’s still the case that the version inspected had some fairly basic issues,” Sebes said.
In response to Powers Gardner’s claims the researchers claims were speculative, or “what ifs,” Sebes said this reflected a misunderstanding of the value of this kind of security assessment.
The goal is to find vulnerabilities in the software that could enable adversaries to conduct a successful cyber operation, rather than claim an actual attack occurred, Sebes said.
Still voting electronically
Voatz itself took issue with the MIT report, insinuating in a statement that the researchers were embarking on a fear campaign.
“It is clear that from the theoretical nature of the researchers’ approach… that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” the statement said.
The company’s response to the DHS report was more measured; while there was no written statement – and a spokesperson did not return a request for comment – the government investigators said Voatz had taken action on most of their recommendations.
Still, the DHS report remains inconclusive about the Voatz app itself.
West Virginia, one of the states that used the app, claims it has seen no issues so far.
Mike Queen, a spokesperson for West Virginia Secretary of State Mac Warner, said the state’s 2018 pilot for overseas military voters went off without a hitch. However, he was noncommittal as to whether the state would continue using Voatz.
“Secretary Warner and his team will make a decision prior to March 1 regarding the technology that we will prescribe for use in the May 2020 Primary Election,” he said. “As we have done from the very start, our decision will be based on the best available information with a strong emphasis on security and accessibility.”
Like Utah’s Powers Gardner, Queen said any potential physical disabilities or geographic location should not prevent voters from participating in the democratic process.
“I don’t have a duty to an out-of-town researcher who doesn’t understand how elections are actually run,” Powers Gardner said. “I have a duty to stand up for the constitutional rights of the disabled voters in my community, and I’m going to ensure their constitutional right to vote in the safest way that I know how.”
Read the full DHS report below: