The state of West Virginia is planning to allow overseas voting via smartphone in the 2018 election, and election security experts aren’t happy about it.
“Mobile voting is a horrific idea,” said Joe Hall, an election security expert at the Center for Democracy and Technology in an interview with CNN.
The West Virginia project is being run by Voatz, a startup with $2 million in venture capital funding.
The state did a limited trial run of the technology in West Virginia’s primary election back in May. Military voters from two West Virginia counties were offered the option to vote via their smartphone instead of sending in an absentee ballot via mail, fax, or email. West Virginia’s secretary of state told CNN that the pilot worked well and that the system passed four audits of various parts of the system. So this November, the state is planning to offer the system more broadly to West Virginians deployed overseas.
Domestic voters in West Virginia would continue using more conventional systems.
The problem with smartphone voting
Over the last decade, there has been a growing consensus that a voter-verified paper trail is essential to making the voting process secure and fully auditable. Electronic voting machines can be hacked, and there’s no foolproof way to prevent or even detect attacks on voting machines. So experts argued that the paperless electronic voting machines many states adopted in the early 2000s posed a serious threat to the integrity of our election systems.
Internet voting—whether it’s conducted with a desktop PC or a smartphone—poses an even more severe version of the same problem. Whereas electronic voting machines are typically kept offline during elections, smartphones are online constantly. A voter has no way to tell if his smartphone has been compromised, allowing an attacker to silently tamper with a voter’s choices.
Advocates of online voting point out that people perform sensitive financial operations over the Internet all the time. But the difference is that financial networks keep records of all transactions that are available for inspection by both customers and banks. By contrast, our election system is based on the principle of the secret ballot, which rules out the kind of after-the-fact auditing that helps secure financial networks.
So how would the Voatz system prevent hacking, ensure auditability, and preserve voter privacy? The company’s website is thin on technical details, and it hasn’t responded to an interview request we sent earlier today. A five-page fact sheet distributed by Voatz at a conference of state election officials earlier this year claims that the company’s blockchain-based voting technology “is fundamentally different than touchscreen or online voting.”
Voatz claims that, by using blockchain technology, “an immutable, auditable record of every vote is automatically maintained while preserving voter anonymity.” But the paper skims over how, exactly, a blockchain accomplishes this ambitious goal.
“The blockchain is a ledger that runs on distributed servers,” the Voatz white paper says. “Election jurisdictions start the process by crediting each voter with secure tokens that have a one-to-one correspondence to the ovals that voter would have received on a paper ballot.”
“Once submitted, the vote is verified and confirmed by the distributed servers,” the paper adds. “Upon verification, the vote is debited (i.e. subtracted) from the voter’s ledger and credited (i.e. added) to the candidate’s ledger.”
Even if the cryptography itself is perfectly secure and anonymous, the problem is that the system is only as secure as each voter’s cryptographic credentials. And a hacker is likely to be able to steal the voter’s credentials by compromising either the voter’s smartphone or the server the state uses to distribute the credentials in the first place.
And this is far from a theoretical problem. Back in 2010, a group of computer security researchers from the University of Michigan succeeded in hacking into a demonstration online voting system run by Washington, DC. Because the researchers were legitimate researchers, not a foreign intelligence agency, they merely reprogrammed the site to play the University of Michigan fight song. But if the system were used for a genuine election, foreign governments might have been able to use the same vulnerabilities to silently tamper with election results.
It’s to their credit that DC election officials invited researchers to attack their system before using it for a real election. While West Virginia says its system has passed a series of audits, as far as we know the state has not invited the computer security community in general to attack the system and report vulnerabilities. And circumstantial evidence suggests that the system is likely to have vulnerabilities.