Voatz, the publisher of a mobile app that’s been used in several controversial pilot projects, needs to address its vulnerabilities before it can regain the confidence of election officials, according to a foundation that’s been working with state and local governments to allow some voters to cast ballots over mobile phones.
“Voatz needs to address some of the concerns,” said Sheila Nix, the president of Tusk Philanthropies, which has been working with a handful of state and local election administrators since 2018 to allow military and overseas voters to send ballots back home with their handheld devices.
A lengthy audit published March 13 by security firm Trail of Bits revealed that Voatz’s app contained 16 “severe” technical vulnerabilities, including the exposure of sensitive user data and improper use of cryptographic algorithms. That review had been sanctioned by the company itself as well as Tusk Philanthropies, which had funded the use of Voatz in elections in the state of West Virginia, and individual counties in Colorado, Utah, Oregon and Washington state.
The Trail of Bits report also confirmed many findings made weeks earlier by researchers at the Massachusetts Institute of Technology, who used a “reverse-engineered” mock-up of Voatz’s system. Yet while Voatz called the Trail of Bits audit an “important milestone as part of our ongoing efforts to chart a new, forward approach to transparency in our elections infrastructure,” Nix said the company hasn’t yet shown how it will proceed.
But Voatz has already lost some of the governments that it first partnered with, including West Virginia, which collected 144 ballots from military and overseas voters in the 2018 general election. Shortly after the publication of the MIT audit, Secretary of State Mac Warner, who previously championed Voatz’s use of blockchain encryption, said the state this year would offer its overseas and physically disabled voters a mobile-voting product from Democracy Live, which uses a browser-based web portal through which users can mark and submit ballots, or print them out and return them via physical mail. (The digitally transmitted ballots are also printed out when they arrive at county election offices, according to the company.) Once again, West Virginia’s mobile-voting initiative in the state’s June 9 primary is being paid for by Tusk Philanthropies.
In addition to its web portal, which is hosted in a secure Amazon Web Services cloud, Democracy Live, founded in 2007, had an existing track record in facilitating ballot access for military and overseas voters, the majority of whom return their ballots via physical mail, email or fax.
“People are more familiar with them, and I think they’ve gotten accredited with different products over the years,” Nix said.
‘It needs to be assessed’
Voatz, founded in 2016, sold itself on the basis of a trendy technology — blockchain — that it claimed had “military-grade” encryption, but the company long delayed submitting itself to third-party scrutiny. Meanwhile, the Tusk-backed pilot projects sparked constant criticism from cybersecurity and election-security experts who claimed internet-based voting was inherently vulnerable and untrustworthy.
Nix conceded in a phone interview that Voatz can afford to be a bit more open about its platform.
“It needs to be assessed,” she said. “It’s complex and very new, and in this space you need to err on the side of transparency.”
Voatz’s reputation took another hit last week when it became the first organization to be kicked out of ethical-hacking firm HackerOne’s bug-bounty program after being accused of hostile interactions with security researchers. “We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing,” a HackerOne spokesperson told CyberScoop.
Nix said she has not discussed HackerOne’s decision with Voatz, but did say that she thinks Voatz needs to evaluate its next steps.
“After the Trail of Bits piece, from Tusk’s point of view, they need to figure this out on their own,” she said. “Their strategy for going forward is their strategy.”
In a statement to StateScoop, Voatz chief executive officer Nimit Sawhney said his company has been welcoming of outside scrutiny.
“As far as we’re aware from information available in the public domain, no other mobile voting vendor has opened up its technology to third-party audits as much as Voatz,” he said. “In our commitment to transparency, we’ve made our audits public and continue to do so as we complete future audits. We are working hard to set the highest standards of transparency in the election industry.”
Sawhney also said his company is subjecting itself to “frequent, ongoing audits by independent third parties,” the results of which will be released “in the coming months,” though he did not specify what organizations are conducting those reviews.
Prior to the MIT and Trail of Bits report, each election carried out with Voatz had undergone multiple audits, none of which have found any irregularities with ballots cast via the app, a fact Nix, the mobile-voting proponent, reiterated.
“There were no problems with an actual election,” she said. “It’s just there’s some potential vulnerabilities identified, and Tusk and the election directors out there would like to see answers. And once Voatz puts out a report on how they’ve addressed things, maybe election officials will be open to considering their technology again.”