Mobile voting has arrived.
By Maksim M/Shutterstock.
Almost a year ago, the Department of Homeland Security alerted roughly half of all U.S. states that their election systems had been the targets of hackers linked to Russia. Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, later confirmed the attacks. “We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated,” she told NBC News in February. Even worse, experts have warned that Russia’s attempts at meddling did not end in 2016. “They’re still very active—in making preparations, at least—to influence public opinion again,” Feike Hacquebord, a security researcher at Trend Micro, told the Associated Press in January. The Trump administration, meanwhile, is doing painfully little to prevent future attacks. The president’s repeated denials of Russian meddling is another form of malign neglect. With less than three months to go until Americans return to the polls en masse, the United States remains deeply vulnerable to any hackers who might like to cast a vote of their own.
Enter Voatz. With a name reminiscent of a plot device in Idiocracy, Voatz is a mobile election-voting-software start-up that wants to let you vote from your phone. In the upcoming midterm elections, West Virginians serving overseas will be the first in the U.S. to be able to vote via a smartphone app using Voatz technology, CNN reported Monday. The Boston-based company raised $2.2 million earlier this year, helped along by buzzwords such as “biometrics” and “blockchain,” which it claims allows it to secure the voting process. Its app reportedly requires voters to take and upload a picture of their government-issued I.D., along with a selfie-style video of their face, which facial-recognition technology then uses to ensure the person pictured in the I.D. and the person entering a vote are the same. The ballots are anonymized and recorded on the blockchain.
Security experts, to put it mildly, are not impressed. On Monday, security architect Kevin Beaumont tweeted a thread deftly critiquing the app for its flaws, including an out-of-date data encryption and authentication service. “This is going to backfire,” he warned. “The United States needs some form of vetting process for online voting in elections.” Software developer Buzz Andersen piled on, tweeting, “Oh cool, the Theranos of voting!”
Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology, called Voatz a “horrifically bad idea,” not least due to the potential for votes to become de-anonymized in the future. “Imagine if you’re a uniformed military serviceman stationed abroad, excited to be able to cast a ballot in, say, the West Virginia primary, where they plan on using a remote blockchain voting system . . . then imagine that in 20 years, the entire contents of your ballot are decryptable and publicly available,” he said. “It’s not something we should throw to the V.C. wolves or allow bleeding-edge technologies to mess with, without serious and deep inquiry and interrogation.” The potential for a security breach, Verified Voting president Marian Schneider told CNN, also stretches beyond Voatz’s technology, to the unsecured computers and mobile devices of everyday Americans. And reliance on an electronic format, in place of a traditional paper trail, means “undetectable changes . . . could occur in transit.”
Nor does the company’s use of “blockchain technology” mean its database is foolproof—in fact, bitcoin skeptic David Gerard told me, the term barely applies to Voatz at all. “The word ‘blockchain’ these days literally just means ‘whatever I’m trying to sell you,’” he said. “I see so many things that use the buzzword, and have the high-flying blockchain promises that sound amazing . . . and they’re just using it as a ledger, which is what Voatz appear to be doing.” He went on, “The append-only ledger is a useful idea! But it’s . . . not new at all. So the Voatz solution doesn’t have any ‘blockchain’ magic. But the West Virginia politicians seem to think it does, and that’s worrying.” Even if the company’s blockchain technology was being used to do something other than tally voters, it wouldn’t necessarily portend a seamless process. The only attempt to vote on the blockchain, Gerard told me, occurred in 2015, when the Bitcoin Foundation tried to orchestrate a vote. It went so poorly that the organization was forced to cancel and try again.
Voatz pushed back against those characterizations. “Most of the comments in the thread are incorrect or misrepresentations,” a spokesperson said, calling the criticism “false propaganda.” Voatz’s Web site is “tested daily,” the spokesperson assured me, pointing to a sample of Voatz’s security tests. “The author of the post used some old images from a two-plus-year-old test site to spread false rumors claiming that our site is poor on security.” In his thread, Beaumont pointed out that one of Voatz’s former employees, who worked for the company in 2015, had previously worked in Russia, which he later said was an attempt to underscore the poor optics of hiring Russians given the “climate of U.S. election security.” Voatz called this a misrepresentation. “He’s trying to scandalize and chastise a Harvard student from a certain part of the world who interned with us in 2015,” the spokesperson said. “We are sad to see such a negative public discourse.” (Beaumont did not respond to a request for comment.)
To be fair, West Virginia isn’t opening up mobile voting to all voters, at least for now—Voatz will only be available to military members serving abroad. But it is testing the product in a live election. Should those votes be compromised, or should the app glitch, it would have a nonzero impact on overseas voters. Furthermore, other, similar companies are testing their own versions of blockchain-backed mobile voting, including Votem, and London-based Smartmatic. These companies argue that their systems could help increase voter turnout. But an atmosphere in which the “warning lights are blinking red” seems a less than ideal testing ground.