Tag: Mobile Voting

MIT Study: Mobile Voting App Used In W.Va. Pilot Susceptible To Hacks That Could Change Votes

Updated Thursday, Feb. 13, 2020 at 4:05 p.m.

A mobile voting application used in West Virginia’s 2018 election cycle is susceptible to various vulnerabilities, according to a study released Thursday by researchers at the Massachusetts Institute of Technology. But the company behind the technology is disputing the findings and recommendations of the study.

A security analysis of the application Voatz shows a number of weaknesses, including the opportunity for hackers to change how a person has voted. Researchers also found that the application’s use of a third-party vendor for voter identification and verification poses potential privacy issues. 

“[O]ur analysis has shown that this application is not secure. A passive network adversary can discover a user’s vote, and an active one can disrupt transmission in response. An attacker that controls a user’s device also controls their vote, easily brushing aside the app’s built-in countermeasures,” the paper’s conclusion reads. “And our analysis of the protocol shows that one who controls the server likely has full power to observe, alter, and add votes as they please.”

The company, however, disputes the findings of the MIT analysis. Voatz said the researchers were presenting “bad faith recommendations” by testing an old version of the application that was not used in any real elections.

“Voatz has worked for nearly five years to develop a resilient ballot marking system, a system built to respond to unanticipated threats and to distribute updates worldwide with short notice,” the company said in a statement posted online Thursday. “It incorporates solutions from other industries to address issues around security, identity, accessibility, and auditability.”

The MIT analysis comes amid a growing debate over how to balance attempts to increase voter turnout with security concerns. Groups like Tusk Philanthropies have advocated for a rollout of mobile voting tech technologies like Voatz by funding pilots for elections in various states and municipalities.

That includes West Virginia.

In 2018, the Secretary of State’s office implemented a mobile voting pilot program for overseas military absentee voters. Tusk Philanthropies footed the bill for counties who took part in the pilot.

For the general election, 144 voters from 21 counties made use of the Voatz app to cast a ballot. State officials have said paper ballot audits on Election Day 2018 show that votes cast using the application were accurate as intended by the voter. 

Michael Specter and James Koppel — two graduate students from MIT’s Department of Electrical Engineering and Computer Science — conducted the security analysis of Voatz under the guidance of Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab.

The study’s authors echo other election security experts who have cautioned against using internet-facing technologies to cast ballots.

“The consensus of security experts is that running a secure election over the internet is not possible today,” Koppel said in a news release accompanying the release of the paper. “The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today’s software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take.”

But places like West Virginia have already taken that risk — at least to some degree.  

Research published last year by the University of Chicago — funded by Tusk Philanthropies — touted West Virginia’s mobile voting pilot using Voatz as a success and that it increased voter turnout for the population affected. However, the paper also noted heavy concerns over security with electronic and internet-facing voting technologies.

An audit of Voatz, declassified this week by the U.S. Department of Homeland Security’s Hunt and Incident Response Team (HIRT), showed there were no threats detected — but the app showed some room for improvement.

“During the one-week on-site engagement and subsequent remote analysis on the data collected, HIRT analysts did not detect threat actor behaviors or artifacts of past activities on the in-scope portions of the Voatz networks. HIRT identified some areas where defense-in-depth protections and configurations could be improved to help Voatz’s IT security personnel defend their enterprise network,” the conclusion of the DHS audit reads. 

However, opportunities for more rollouts of applications like Voatz could still be on the way in West Virginia. 

Gov. Jim Justice recently signed a bill that would allow people with disabilities to vote electronically, although the use of a mobile voting application like Voatz was not specified in the bill.

Donald “Deak” Kersey, who serves as general counsel for West Virginia’s Secretary of State’s office, said elections officials have not yet made a decision on whether or not to use Voatz as part of complying with the state’s new law. 

“As technology advances to provide additional security and accessibility for the voters, the state’s due diligence process regarding technology options and vendors also continues,” Kersey said in an email. “It is our goal to maintain the integrity of our elections and voters’ confidence in the results, while finding the most secure method available that allows every voter the opportunity to vote regardless of their physical disability or geographic location.”

Kersey said the Secretary of State’s office will decide by March 1 on what technology will be used for the upcoming primary election. 

West Virginia’s primary election is May 12. 

New Study Says West Virginia’s Mobile Voting Pilot Increased Turnout, Notes Security Concerns

West Virginia made waves in 2018 when it became the first state in the country to allow some residents to vote using a mobile phone app. 

A new study released last month by the University of Chicago finds West Virginia’s mobile voting pilot program increased voter turnout by three to five percentage points. 

The research was funded by Tusk Philanthropies, an organization that advocates for mobile voting. The group also paid for West Virginia counties to offer the mobile voting option in the 2018 pilot program.

“What I found is that having mobile voting available as an option increased the number of overseas voters who requested ballots by six to nine percentage points,” said study author Anthony Fowler of the University of Chicago’s Harris School of Public Policy. 

Evaluating West Virginia’s Mobile Voting Pilot

The research compared voter turnout for uniformed overseas absentee voters in 24 counties that offered the mobile voting option with those who did not have that available.

In the 2018 primary, West Virginia offered a mobile voting option for uniformed overseas absentee voters from Harrison and Monongalia counties. For the general election, the option was offered to all 55 counties, but only 24 signed on. According to the Secretary of State’s office, 144 voters from 21 counties ultimately cast a ballot in the 2018 general election using mobile voting. 

“It appeared to increase voter turnout by about three to five percentage points,” Fowler said. “So it looks like mobile voting did, in fact, increase participation for those eligible overseas voters.”

But Fowler also noted in the same study that serious concerns over mobile voting do exist. He surveyed voters to measure their level of confidence in various voting methods. 

According to the study, voters are wary of online voting — including casting a ballot on a mobile device. Of all voting methods, those surveyed said they had the least confidence in online ballots being counted correctly. 

West Virginia’s pilot — which was the first to employ a mobile voting in a federal election — allowed some overseas military voters to use an app called Votaz to cast a ballot. 

Secretary of State Mac Warner has heralded the pilot as a success, but elections and cyber security experts say they have concerns over the integrity of any kind of internet-facing election system — especially after Russian meddling in the 2016 election. 

Mobile Voting Security Concerns

Designed by the Boston-based company Voatz, the mobile voting app uses blockchain technology and biometric face scans as security features.

Despite the accessibility and security offered, election security experts have warned of any system that connects to the internet has the potential to be hacked. At the same time, the Secretary of State’s office and other advocates for mobile voting say the option is safer than fax or email — the only other electronic options made available for uniformed overseas absentee voters.

Voatz has come under scrutiny for not allowing computer and elections experts a chance to evaluate the platform like other election systems have been. 

In a paper published in May by the University of South Carolina, technology and elections experts took issue with various aspects of the Voatz platform arguing, in part, that the company hasn’t yet released information from security audits to the public. 

“While  much of this secrecy might be understandable for an ordinary business product and service, it should not be acceptable in a public voting system whose details should be transparent to voters, candidates, and the public at large,” the paper states.

Tusk Philanthropies: Funding Mobile Voting Rollouts, Research

Fowler’s study was supported by Tusk Philanthropies, an organization that advocates for mobile voting options. The organization has a section of its website dedicated to mobile voting and argues that dismal voter turnout leads to the electorate not being properly represented in various levels of government. 

“[N]early 80% of U.S. adults already carry another way to vote in their pockets: their phone. Blockchain makes mobile voting safer than paper ballots and if we gave people another way to participate in elections without having to find a polling place, wait in line, and deal with all of the hassles of the current system, turnout will increase exponentially,” Tusk’s website states.

The organization, led by businessman and venture capitalist Bradley Tusk, also footed the bill for West Virginia counties who wanted to take part in the 2018 mobile voting pilot. According to Tusk Philanthropies President Sheila Nix, the organization spent $150,000 for West Virginia counties to offer the mobile voting option for the pilot program. 

Despite this relationship and Tusk’s advocacy on the subject, Fowler argues Tusk’s grant to the university did not influence his research.

“If you read the paper, you’ll see that I do not explicitly advocate for mobile voting. I point out some benefits of mobile voting and I also point out some concerns about mobile voting in my paper,” he said. “As a researcher, I’m committed to reporting honestly the results of my analysis — whatever I find.”

Representatives of Tusk also say the research aspect goes hand in hand with their mission to boost voter turnout by testing mobile voting.

“On the one hand, we are funding pilots to test the blockchain technology,” Nix said about Tusk’s involvement on the issue. “We’re also doing academic research to see the effect on voter turnout. I don’t find anything problematic about it.”

The Future of Mobile Voting in West Virginia and Elsewhere

As security audits on the Voatz app continue, Warner and his staff have deemed the mobile voting pilot a success. General Counsel Donald Kersey says the pilot served its purpose in making it easier for uniformed overseas absentee voters to cast a ballot.

“Ignoring the research paper itself, we already deemed the pilot a success because we did our audits. We did audits, we had security assessments done on the back end to look at the system itself — not the votes themselves, but the technology and the security on the back end,” Kersey said. “And we have the audits and reports from that. We also have testimony from people that use the system who said, ‘I would not have been able to vote had it not been for this application.’ That’s why we’re offering it.”

Kersey also said the U.S. Department of Homeland Security will also conduct an audit on the Voatz app. He said those findings will be released to the public but with redactions of sensitive information related to any vulnerabilities found. 

As it stands now, the only voters able to make use of the option are uniformed overseas absentee voters. The West Virginia Legislature would need to take action in order for mobile voting to be used by a wider population.

Tusk Philanthropies and Voatz say they are moving forward and continuing to run pilot programs in various elections around the United States.

The city of Denver held a municipal election this year and offered its own mobile voting pilot to uniformed overseas absentee voters. Provo, Utah is also deploying its own pilot for the same population in its own municipal election in 2019. 

Exit mobile version