Casting votes over the internet—at least for anything more important than a Twitter poll—is not secure.
This is not a controversial position. In September 2018, the National Academies of Science, Engineering, and Medicine, alongside some of the foremost election and information security experts in the country slammed the idea, noting that despite whatever illusions of convenience it may provide, it opens the door to a wide range of security vulnerabilities. Their conclusion was simple: “secure Internet voting will likely not be feasible in the near future.” And just this summer, after more than two years of investigation, the Senate Intelligence Committee issued a report on Russia’s 2016 election interference operations, which included a warning to states to “resist pushes for online voting,” noting that nobody has proven that it can be done safely.
You wouldn’t know that if you listened to representatives from Voatz, an app-based company that claims it can securely administer online elections. The company’s product requires users to upload a government photo ID, and then uses a video selfie along with fingerprint and face scans to verify voters’ identity. The company says it then records the user’s vote on an immutable blockchain, a technology that creates records on a distributed system, making manipulation of the data virtually impossible. Voatz boasts its system stores votes “on multiple, geographically diverse verifying servers,” and claims that their systems have been regularly tested by simulated hackings and audited by independent third parties.
On Thursday, Sen. Ron Wyden (D-Ore.) called the company’s bluff, asking the Department of Defense and the National Security Agency to conduct a cybersecurity audit of the company. In a letter calling for the audit, Wyden says the company won’t release the results of its own security audits and won’t even identify whoever it hired to conduct them. “This level of secrecy hardly inspires confidence,” he writes, noting the DoD recently joined other federal agencies in issuing a statement affirming that Russia, China, Iran, and other “malicious actors” are actively working to attack US elections.
An NSA spokesperson confirmed the agency had received the letter, but declined to comment further. The Department of Defense also confirmed receipt, saying it would respond to Wyden.
In a statement posted to the company’s blog after Mother Jones asked for a response to Wyden’s letter, the company said that it had not been contacted by the senator’s office but welcomed “any and all additional security audits by the Department of Defense and NSA regarding our platform.”
While it did not respond directly to Wyden’s charge that its audit results and auditors remain private, the statement said the company is “committed to providing as much transparency as possible about our system, while at the same time needing to protect our intellectual property as one of the youngest election companies in the country.”
The company says it has run “54 successful elections (public and private),” and pilot programs in West Virginia, Oregon, and elsewhere—including a student council race—primarily helping voters who are overseas and in the military cast ballots. It says “attempts to tamper with the system were actively thwarted” during the 2018 West Virginia pilot, a reference to what was likely a group of election security students looking at the app’s vulnerabilities. It also notes that it participates in the HackerOne bug bounty program, which facilitates the reporting of vulnerabilities that the company allows outsiders to test.
The West Virginia officials say they were happy with the program but acknowledge lingering doubts about its security. Last year after the state’s pilot, a state official told the Washington Post in response to questions about Voatz’s vulnerabilities that while the test had gone smoothly and was “very successful,” the secretary of state “has never and will never advocate that this is a solution for mainstream voting.”
If it’s not good enough to use at home, how could it be safe enough to use abroad?