Coronavirus is ravaging the globe, canceling presidential primaries in the U.S. and calling into question the wisdom of having lawmakers, many of them elderly, sitting close together as votes are held in Congress. Lawmakers, especially Democrats, have sought to expand mail-in voting, and perhaps give some voters the opportunity to vote digitally through their laptops or even their smartphones.
Polling on the latter idea has shifted during the pandemic, with more people prepared to trust cyberspace with their vote. Forty-two percent of U.S. voters were “confident that votes cast online would be counted accurately,” according to a March Morning Consult poll, a double-digit increase from previous months. The same poll found 66% of respondents were concerned about voting in person during COVID-19.
These fears materialized in Wisconsin and Georgia, which recently held primary elections. In Wisconsin, lines stretched around city blocks as voters tried to social distance while waiting hours to vote. In Milwaukee, the number of polling stations were cut from 180 to five. And in Georgia, the recent primary voting day was a disaster. Equipment failure plagued new voting machines, the number of poll sites were reduced and there were insufficient numbers of paper ballots. The Guardian reported that in many minority communities people had to wait up to seven hours to cast a ballot.
Given how badly recent elections have been organized, it’s hard to fault people for imagining there has to something better. After all, if we can deposit checks into our bank accounts remotely, why can’t we make voting from your phone just as simple?
But if there’s growing enthusiasm for online voting, the technology itself is frequently fallible. Fundamental questions around the security of online voting remain, with experts and reports exposing vulnerabilities in multiple online voting platforms. Blockchain technology, which could help attest truth in voting infrastructure, has yet to show its worthiness.
Consider the implementation issues that have come to light at blockchain voting pioneer Voatz, a startup based in Boston that raised $7 million in a funding round last year.
The blue flyer
When West Virginia rolled out digital voting backed by blockchain for military members abroad in 2018, the idea seemed exciting.
A blue marketing flyer for the voting pilot, with the American flag splashed across the background, declared that “West Virginia is the first state to pilot blockchain technology in a Federal election.” The previous absentee ballot systems offered to overseas military voters were unable to guarantee anonymity, and many military voters were concerned their “mail-in or faxed ballots may not be received in time, or may not be counted. The VOATZ mobile voting app resolves these concerns.”
The vote would be stored as a “vote transaction” on Voatz’s permissioned blockchain, and this would assure that it happened while also divorcing it from a voter's identity. But as the system was tested and implemented, glitches and user error were frequent.
In an email to Voatz, one user said that while verification checks worked well, they had to “log in and out multiple times before the app confirmed their identity and let them access their ballot.” Another said it took many attempts for the app to verify their identity, and the app failed in submitting their vote several times. A couple of days later, they went to try again and found their ballot selections were lost, so they had to fill out the ballot again.
Another person, misunderstanding how the app functioned, ended up voting only in one race (rather than multiple ones on the ballot). Users who cast incomplete ballots and contacted their country clerk or the Secretary of State's Office were able to remedy their partial ballots. But voters who reached out after the voting period ended would have been unable to do so.
A review of emails between Voatz, West Virginia Secretary of State’s Office and voters that CoinDesk, obtained through its public records requests, show the process of setting up the pilot was long, complex and often tedious.
One email showed a county clerk unable to add voters to the rolls because they had to clear their browser history first. Another county clerk wrote in an email, “What’s with the demographic ‘menu’ under “settings” in the app? If the voter were to fill out that information within the app, who owns that sweet, sweet data?”
In August 2018, a member of the public alerted the West Virginia Secretary of State’s office that, based on a Twitter thread, “some election security wonks have been poking into the mobile voting system you are committed to try out. What they are finding is not good.”
“Thank you for the heads‐up,” wrote the General Counsel for the West Virginia Secretary of State in response. “We’ve been down this road before... when we first announced our test pilot back in March.”
While no malicious activity has been discovered in the 2018 West Virginia elections, subsequent followup reports and security audits, with and without Voatz’s cooperation, have found numerous security flaws, and illustrate the reasons why election security experts and some lawmakers are so worried about the concept of voting online.
The appeal of online voting
Online voting products range from mobile apps to online portals, and blockchain-based voting apps offer extra reassurance of accuracy.
Ballot Chain, a software that claims to act as a distributed ballot box, “allows for an online process with the same guarantees of a public election.” FollowMyVote, a Virginia-based company, allows users to see their vote logged on the public register. CEO Adam Ernest has said that “there is a common misconception that voting cannot be done online in a secure way. However, the introduction of blockchain technology is changing the conversation.” He cites blockchain’s convenience, cost-effectiveness, security and transparency.
Voatz is a mobile voting application that incorporates blockchain as a way to make sure the votes on their platform are accurate when audited. Voatz says its technology has been used in more 50 elections, including Denver, CO, Utah County, UT, Oregon, and, yes, West Virginia, and that 80,000 votes have been cast through the app.
But numerous cybersecurity and elections experts, public officials and academics say internet-connected voting opens elections up to new risks and when it comes to voting, the more analog the process is, the better. Some contend blockchain doesn’t add anything to the voting process, but others recognize it may have adjacent, if less sexy, uses.
“There are a lot of companies working on election technology selling digital snake oil – overpriced junk that has never been tested by independent experts, or that we already know isn’t secure,” said U.S. Sen. Ron Wyden (D-Ore.) in an email. “Cybersecurity experts agree that hand-marked paper ballots are the safest way to vote.”
As voters seek new ways to vote, the most popular solution may be the most antiquated one: physically marking your choices on a paper ballot. At a time of technological accomplishment, we are, for now at least, happy with the least accomplished solution. Uncertainty in the electoral system has led to a kind of defeatism about technology’s potential and it's an open question whether we can shake that off and come out the other side.
Founded in 2015, Voatz's app enabled military members stationed overseas, among others, to vote using their smartphone, while allowing for audits to ensure the voting process was legitimate and secure.
But adding new layers of software to a voting process creates multiple points of vulnerability, election experts say. There is software that runs on your smartphone, whether that’s the operating system or the numerous apps that are likely downloaded onto it. There is the Voatz app, which runs on software. There is the connection to the internet itself.
“People often think that using more technology is a good thing, and that we get more benefits and more security from technology,” says Ronald Rivest, a cryptographer and senior professor at MIT who has looked at voting technology extensively. “In fact, it tends to work the opposite way. More technology typically means more complexity. And more complexity means less security.”
MIT researchers (Rivest was not one of them) released a report in March that claimed to detail “elementary” vulnerabilities in the Voatz’s app, such as allegations the app would leave voters’ identities available to adversaries, and even that ballots could be altered, as CoinDesk reported at the time. The report also alleged the app has limited transparency for auditing purposes, a complaint echoed by several security researchers.
“Our findings serve as a concrete illustration of the common wisdom against Internet voting, and of the importance of transparency to the legitimacy of elections,” the MIT researchers said.
Voatz strongly disagreed with those findings, and subsequently released a less-damning Department of Homeland Security (DHS) report that largely addressed its internal network and servers rather than third-party apps.
Nimit Sawhney, the CEO and founder of Voatz, said the MIT researchers made a number of assumptions about the Voatz system that were incorrect, and that contrary to some characterizations the company doesn't have anything against cybersecurity researchers. Having come from that world, he says, Voatz welcomes criticism.
“What we objected to in the MIT report was their methodology and how they went about it,” says Sawhney. “It was very adversarial. It was not collaborative at all and seems like they had an agenda. Then there is the methodology, not connecting to a system, not using our testbed on HackerOne [which is a place developers can post their code for others to find bigs in] and just taking a version of the Android app and disassembling it.”
“We can't validate Voatz’s claims that newer versions were better, but it's still the case that the version inspected had some fairly basic issues,” John Sebes, co-founder and chief technology officer of the Open Source Election Technology Institute, told CoinDesk. “None of these findings depends on server access at all, and if newer versions of the app are different in these regards, that would be not a newer version of the app, but an app of a whole different design with reference to security.”
Voatz’s assertion that the DHS report showed no record of adversaries on the company's systems does not necessarily mean this would not be the case in the future, Sebes said. There are vulnerabilities that can be exploited and all it takes is one person acting nefariously.
The back and forth between the MIT researchers and Voatz points to an inherent tension at the heart of the security of digital voting systems, whether that be online voting, apps, blockchain, or something else. Without open source security audits, security experts have to trust the entities building these systems. Right now, they don’t. This is an inherent problem with commercial software, from Facebook’s newsfeed to recruiting algorithms — it’s almost impossible to review.
On the one hand are advocates of making voting easier and more seamless through the use of technology. On the other hand, going back to the imperfectness of software, a number of security researchers just don’t believe that given that fallibility, it’s worth applying tech to something as monumentally important as voting.
Since the MIT report came out, West Virginia, which used the Voatz app in 2018, has said it will not use the technology in 2020.
Tusk Philanthropies funds a number of forays into online voting, including Voatz, and was founded by Bradley Tusk, a political operative and venture capitalist. Tusk President Sheila Nix said it wants Voatz and the other vendors in the online election space to be more transparent with audits. Voatz has said its intellectual property rights preclude greater transparency.
“If that involves them releasing every detail of their source code, I don't know if there's a way to be transparent about it,” says Nix. “But I think it's fair to say to the vendors that you [need] some of these tests done not under a nondisclosure agreement.”
She said some of this is on DHS too, which does these reports, but then says they can’t be released to the public.
When asked about the idea of opening their audits up to public scrutiny, Sawhney said it just doesn't feel like it's easy to share that information with the public. He said that it's hard to communicate the findings of a lengthy report and the media and others highlight the negative rather than the positive. “The headlines are going to be that an audit report found 26 vulnerabilities,” he said.
He went on to say that unless there's a good way to create objectivity about these reports and how they’re reported, it becomes really difficult to effectively share these technical reports.
In the weeks after Sawhney and I discussed the MIT report, Voatz went public with the results of a weeks long audit by the cybersecurity firm Trail of Bits, which they hired. The results confirmed much of what the MIT report found, including numerous vulnerabilities. Key among those, was the potential for an adversary to potentially change votes within the app.
In May, the Cybersecurity and Infrastructure Security Agency, which resides within DHS, went on to send a stark and confidential report to all 50 states warning against online voting.
It said that online voting was “high risk” and that ballots could be ““could be manipulated at scale”, meaning that large numbers of them could be changed, according to a copy of the document obtained by the Wall Street Journal. Even with proper security measures in place to try and mitigate risk, the agency recommended paper ballot returns.
Senator Wyden, who criticized the use of Voatz in his state of Oregon, says that he takes cues from security experts and online voting just isn’t ready for prime time.
“Companies that take cybersecurity seriously won’t even enter this market, because they know that secure internet voting simply isn’t possible,” he told CoinDesk in an email.
“The nightmare scenario is that in a very close race, where the margin of victory is less than the number of overseas voters who email back their ballots, the outcome of the election could be changed by hackers. And without a paper trail, there would be no way to check the results and know who really won.”
Is blockchain an election technology?
Alex Berke, previously of Google, has long been interested in election security. The computer scientist, civic hacker, and technology architect is now a researcher at MIT Media Lab and was initially excited about the prospects of using blockchain to help ensure election integrity. With so much innovation within the blockchain space, including smart contracts and on-chain voting, she was interested in the potential opportunities.
“When you start getting a deeper understanding, you see that the cryptographers that have built the infrastructure and methods that make blockchain possible have already been working for decades on making voting systems possible,” Berke said. “These cryptographers, who are also voting experts, have put a lot of their time and effort into looking at what blockchain could add. And it's not much.”
To Berke, it's clear that if you're using a blockchain instead of a database or some other way of storing data, you’re doing is adding complexity. And with any complexity that doesn’t add security, you're introducing a vulnerability.
The problem isn’t necessarily blockchain – it’s the internet, software itself, and election officials, around it.
Jeremy Epstein, vice chairman of the Association for Computing Machinery's U.S. Technology Policy Committee, said that historically election officials have not been technologists. That’s starting to change as more IT managers start to get into elections and there is better training on technology he said. But there is still a long way to go. Look no further than the rollout of the disastrous app that sank the Iowa caucuses.
“This is one of the problems with organizations like Voatz and Democracy Live,” says Epstein. “They're selling to a customer who doesn't understand what they're buying. It's not that election officials aren't smart people. They are! But they're not technologists and these are highly technical products.”
And going back to a familiar refrain, experts argue systems such as these need to be opened up fully to vetting, and not just by one outside firm.
With its roller-coaster trajectory, Voatz shows both the promise and risk of large scale online voting. It’s up to voters, lawmakers, and elections officials to decide if it’s a risk they’re willing to take.