A leading U.S. Senate voice on cybersecurity issued a letter Thursday to the Defense Department asking the Pentagon to audit Voatz, the mobile-voting app that’s been used to collect ballots from deployed military members from a growing number of states since last year.
In a two-page letter addressed to Defense Secretary Mark Esper and Gen. Paul Nakasone, the head of the National Security Agency and U.S. Cyber Command, Sen. Ron Wyden, D-Ore., wrote that he is “very concerned” that Voatz’s developers have not sufficiently protected the app against threats of hacking from foreign adversaries.
Voatz, developed by a Massachusetts software firm specializing in blockchain encryption, was first used in public elections last year, when West Virginia conducted a pilot project offering the app to its residents on military deployments or otherwise living overseas. In total, 144 West Virginians used it to cast ballots in the 2018 general election. Since then, it has also been tested by the City of Denver; Utah County, Utah; and, most recently, a pair of counties in Wyden’s home state.
But the use of a mobile app to collect votes has been heavily criticized by election-security advocates who say no piece of software can match the reliability of a paper ballot, including the National Academies of Sciences, Engineering, and Medicine, which argued in a paper last year for a moratorium on internet-based voting. And a July report by the Senate Intelligence Committee — of which Wyden is a member — into foreign attempts to hack U.S. voting systems warned that “states should resist pushes for online voting.”
Voatz’s defenders, meanwhile, have said its use has led to increased participation by deployed military voters, a group that typically shows one of the lowest turnout rates. Voting by U.S. citizens residing outside the country is governed by the Uniformed and Overseas Citizens Absentee Voting Act, a 1986 law that facilitates access to ballots that can can be mailed back. In his letter, Wyden was sympathetic toward the goal of increasing participation, but expressed his worries about using online ballots to boost voter participation.
“Congress has taken a number of steps over the years to make it easier for deployed service members to vote, such as providing greater access to secure paper ballots,” he wrote. “I support these efforts, as well as others, but I am also very concerned about the significant security risks associated with voting over the internet, including through the use of smartphone-based apps like Voatz.”
Wyden also wrote that he is requesting the Pentagon look under Voatz’s hood because the company has not been forthright in explaining why its technology should be entrusted with the levers of democracy. Voatz has defended its software as secure, pointing to multiple layers of biometric identification, including facial recognition and fingerprint scanning, before showing users their ballots. The company also says its app registers completed ballots to a “permissioned” blockchain, accessible only by the relevant election offices, which can then print out and count the digital ballots with other votes.
The company also says it has had outside experts test its software for vulnerabilities, but aside from its participation in cybersecurity firm HackerOne’s bug-bounty program, it has been coy about revealing details of those tests.
“While Voatz claims to have hired independent experts to audit the company, its servers and its app, it has yet to publish or release the results of those audits or any other cybersecurity assessments,” Wyden wrote. “In fact, Voatz won’t even identify its auditors. This level of secrecy hardly inspires confidence.”
Individual use cases of the Voatz app have been scrutinized more openly, however. West Virginia subjected the 144 ballots it collected off Voatz last year to four independent audits, while Utah County conducted a public audit — in which local officials and outside cybersecurity experts examined individual “payloads” in the Voatz blockchain — following a September primary election.
Still, questions about Voatz’s security linger, especially in the wake of reports last month that unauthorized users — likely student researchers at the University of Michigan — were detected attempting penetrate the app’s collection of West Virginia ballots in 2018, though that activity was deterred.
In a statement late Friday, Voatz said that while it has not heard from Wyden directly, it would “welcome any and all additional security audits” by the Pentagon or NSA.
“We remain committed to providing as much transparency as possible about our system while at the same time needing to protect our intellectual property as one of the youngest election companies in the country,” the statement read.
The company also said its technology meets blockchain standards set by the National Cybersecurity Center, a nonprofit organization that has audited some of the elections conducted using Voatz, and encryption standards issued by the National Institute of Standards and Technology.