W. Virginia's Decision to Allow Smartphone Voting for Midterms Raises Serious Security Concerns
W. Virginia's Decision to Allow Smartphone Voting for
Midterms Raises Serious Security Concerns
By PAULA BOLYARD SEPTEMBER 25, 2018
For the first time in our nation's history, voters in 24
counties in W. Virginia will be able to vote using their mobile phones. While
some are hailing the decision because it will make voting easier for members of
the military deployed overseas, experts are warning of possible security
breaches.
"After researching previously available options, the
Secretary’s team identified that most electronic ballot delivery technology
required access to a desktop computer, printer and scanner, all of which
present significant barriers to overseas voters, especially those in combat zones
or engaged in covert operations," the W. Virginia Secretary of State's
office explained in a press release this week. The state is partnering with a
Boston, Massachusetts-based company called Voatz, Inc.
"Voatz has developed a secure mobile voting
application that allows voters to receive, vote, and return their ballots
electronically," the press release claims. "The application also
utilizes blockchain technology to store electronically submitted ballots until
election night, and requires a heightened standard of identity verification for
users than traditional absentee ballot processes. This project is unprecedented
in United States history, being the first mobile voting application and first
use of blockchain technology in a federal election."
During the state's primary election in May, a pilot was
conducted in two W. Virginia counties with voters in six different countries
utilizing the technology. "Post-election security audits by several independent
and widely respected technology auditing companies showed that the technology
provided a secure platform for voting and an alternative to the traditional
absentee paper ballot," the Secretary of State's office declared.
"Voatz’s app, which also utilizes biometric facial recognition software
and thumbprint safeguards to ensure the identity of the voter, increased the
confidence of the auditors. In short, the nation’s first mobile voting app test
pilot was a success."
In order to use the mobile technology, users register
with Voatz by taking a picture of their government ID and also a selfie video
of their face. Voatz then uses facial recognition software that (they claim)
can verify the voter's identity. Once approved, voters can cast their ballots
using Voatz's app. After the vote is cast it is added to the blockchain, a
digital ledger of sorts, popularized by digital currencies such as Bitcoin.
"Because blockchain is a distributed ledger of
transactions, military mobile votes become immutable and tamper-proof once
recorded," says Voatz.
The state of W. Virginia admits that there are
"substantial" security concerns, but explained that Voatz will be
utilizing "federal standards for software development, regular maintenance
and security upgrades, in-depth penetration testing, source code auditing and
audits of the system’s cloud infrastructure. After surpassing those
requirements, the pilot moved forward."
Federal standards? That alone should raise red flags.
A report from Thales eSecurity points out that 71 percent
of federal agencies have experienced data breaches. Their 2018 "Data
Threat Report" concluded that "federal agencies are experiencing a
'perfect storm" around data that is putting agency secrets, and the
private data of over 330 million citizens, at risk."
Research Principal Analyst Garrett Bekker posited that
"the U.S. federal sector has experienced a higher rate of breaches in the
past year than any other sector."
A Heritage Foundation report on 2017 federal cyber
breaches concluded, "In fiscal year 2016, government agencies reported
30,899 information-security incidents, 16 of which met the threshold of being a
major incident." The report includes an extensive list of breaches.
A report at Spiegel Online last month warned of a wide
variety of security concerns with mobile voting:
To start with, the infrastructure that Voatz uses cannot
be secured -- i.e., the voters' smartphones and the networks used to transfer the
data.
Voatz is also sketchy on details relating to its use of
blockchain technology, making it unclear whether it offers a specific advantage
over standard databases. "With all the servers in the custody of the
vendor, a dishonest vendor could do anything they want to the results,"
warned Marian K. Schneider, president of the U.S. advocacy group Verified
Voting.
Voatz says it has commissioned third-party firms for
extensive security audits. But information about these security firms on
Voatz's website has been repeatedly revised in recent days, apparently in
response to queries from the media.
There are no indications that a technical inspection by
state authorities took place either. Voatz, at the very least, has made no
claims to that effect. If that didn't happen, it would mean that the public
authorities aren't even aware of what, exactly, is behind Voatz's technology.
Internal Voatz code has popped up in at least two places
on the platform Github, a mass database where code is uploaded and widely shared.
The company claims it was test code unrelated to the real system. But details
in the code raise concerns that Voatz doesn't always attach the utmost
importance to common security practices.
It's important to remember that in April the Department
of Homeland Security announced that Russian hackers had targeted all 50 states
during the 2016 election cycle.
Assistant Secretary Jeanette Manfra told lawmakers at the
time, "Two years ago the Russian government launched a brazen,
multi-faceted influence campaign aimed at undermining public faith in our
democratic process, generally and our election specifically." She added,
"That campaign involved cyber espionage, public disclosure of stolen data,
cyber intrusions at the state and local voter registration systems, online
propaganda, and more. We cannot let it happen again."
Director of National Intelligence Dan Coats also warned
that “the warning lights are blinking red” with respect to Russian interference
in U.S. elections.
West Virginia has seemingly ignored those warnings,
launching headlong into mobile voting with a barely tested technology. While
everyone agrees that we want to make it as easy as possible for military voters
to participate in elections, those needs must be weighed against security concerns.
In reality, the men and women serving in our armed forces are being used as
guinea pigs for an experimental technology that could conceivably be vulnerable
to hackers and others determined to disrupt our election processes. While paper
ballots are cumbersome and the vote totals are often delayed, they've been
proven over and over again to be the most secure way to cast a ballot.
Paper ballots are "absolutely the safest way,” to
vote, Richard DeMillo, a cybersecurity professor at the Georgia Institute of
Technology in Atlanta, told Bloomberg. “All this fancy stuff—you are talking to
a computer scientist, and it breaks my heart to say this—but it just drives up
the cost and doesn’t add anything.”
How to Commit Voter Fraud
National Academies of Sciences, Engineering, and Medicine
warned in a 2018 report that election administrators should work toward using
“human-readable paper ballots" for the 2020 presidential race and should
make "every effort" to use them for this year's elections.
“The issues highlighted in 2016 add urgency to a careful
reexamination of the conduct of elections in the United States and demonstrate
a need to carefully consider tradeoffs with respect to access and
cybersecurity," the report explained.
The researchers further warned that ballots that have
been marked by voters “should not be returned over the Internet or any network
connected to it, because no current technology can guarantee their secrecy,
security, and verifiability.”
Comments
Post a Comment