While billed as a convenient and easy way to cast a ballot, voting online or via telephone is not without its share of legitimate concerns among voters and experts alike. This year the Town is using the services of “Voatz”, a US company that has come under heavy scrutiny in the past for flaws and lack of transparency.
Voatz, Inc. was founded in 2016 and is headquartered in Boston, Massachusetts. The company’s stated mission is to “make voting not only more accessible and secure, but also more transparent, auditable and accountable”. The company’s big claim is that it uses “blockchain technology” as part of its model.
Voatz has a Canadian presence via Voatz Canada, Inc. However, to call it an “office” would be an overstatement, as it is simply a residential house in a North Bay cul-de-sac.
Their official website can be found by visiting this link.
2018 – Researchers Find Gaps, Express Concerns Over Voatz
A 2018 piece from the online news portal “TechCrunch” shows a lack of confidence in electronic voting and in particular, Voatz. The article pointed to an interesting Twitter thread by an independent security researcher who found a laundry list of security issues. It is worth a click to read all his comments.
The TechCrunch article hit the hammer on the head with this quote:
“Voatz were approaching the wrong problem in the wrong way from the start. Even if your blockchain repository is verifiably write-once, which it isn’t, it only records the data sent to it via your app and servers. Voting cannot rely on apps and servers, no matter how allegedly secure they are claimed to be. It’s nice that you generate paper ballots for a post-election audit, but since we should not and cannot ever trust voting servers and software, and therefore will need to do a post-election paper ballot count every time — how about we skip the man-in-the-middle, and all of your software, and go straight to that part?”
2020 – MIT vs. Voatz – Researchers Find More Flaws & Express Concerns
In February 2020, MIT researchers released a scathing media relese on Voatz, identifying significant issues with their voting application. While the technicalities of their findings might appear as gibberish to the average reader, their overall statements speak to the seriousness of their concerns:
“The consensus of security experts is that running a secure election over the internet is not possible today,” adds Koppel. “The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today’s software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take.”
“In the case of Voatz, he adds, “It looks like there were many good intentions here, but the result lacks key features that would protect a voter and protect the integrity of elections.”
Needless to say, Voatz was not happy about MIT’s paper and fired back with their own whitepaper that attempted to debunk the findings. With venture capital funding at risk, it was probably in their best pecuniary interest to attempt to minimize the MIT findings.
An audit by the firm “Trail of Bits” who were hired by Voatz and Tusk Philanthropies (remember this name for later) not only confirmed MIT’s claims, but found numerous other issues and gaps. Of 79 identified, 1/3 were classified as “high severity”.
The Voatz whitepaper did not shake MIT. Other MIT renowned researchers published a holistic review of “blockchain voting”. In “Going from bad to worse: from Internet voting to blockchain voting” the researchers examined blockchain technology in general and made the following comment in regards to Voatz:
“Recent research shows that Voatz suffers from serious security vulnerabilities enabling attackers to monitor votes being cast and to change or block ballots at large scale, unnoticed by voters and election officials.”
September 2020 – Voatz Files With The US Supreme Court
It appears that having independent security eyes on their platform did not sit well with Voatz, to the point they filed an amicus curiae aka “friend of the court” brief to let the US Supreme Court know their views on an unrelated case before the Justices.
Voatz in their brief repeatedly pointed out that independent good-faith security research is a threat to cybersecurity. They said that such research should only be conducted with the appropriate authorization. In other words, if you want to look at our systems, you do it on our terms and under our watch.
2021 – Tusk Philanthropies Moves Away From Voats
Above, we asked you to remember the name “Tusk Philanthropies” and that request was for a very good reason. The institution has invested millions of dollars in companies and technologies to improve accessibility to the vote. Tusk Philanthropies had funded the use of Voatz in elections in West Virginia, and individual counties in Colorado, Utah, Oregon and Washington state.
In September 2021, Bradley Tusk announced a $10 million (USD) grant program “to fund the development of a new internet-based voting system that he says will aim to win over security skeptics”, according to NPR.
The NPR article further goes on to state that Tusk:
“… has already bankrolled a number of small-scale mobile-phone voting pilot projects across the U.S. over the past few years, in which voters with disabilities and Americans living abroad from a select few districts have been able to return their ballots digitally.
However, the vendors that conducted those pilots have faced heavy scrutiny for security flaws in their systems as well as for a general lack of transparency around their software, as the source code for the underlying technology has remained private.”
In another article on the program from website StateScoop, Tusk speaks about the Voatz-based elections that he funded:
“There clearly were concerns around,” he said. “For elections with 1,000 voters, Voatz was fine. But I want to be able to handle hundreds of thousands of votes, or millions of votes.”
Moving away from Voatz says a great deal.
Instead of developing further with Voatz and address a scaling issue, the philanthropist embraced the organization “Open Source Election Technology Institute” (OSET) and the Danish firm “Assembly Voting”. OSET was heavily critical of Tusk’s previous initiatives including Voatz, so their concerns must have resonated with him.
Speaking about the $10 million program, a spokesperson for OSET stated:
“The technical challenges to verifiable, accurate, and as-secure-as-possible remote voting are huge, but need to be solved. This project presents the type of research and development our nonprofit is funded to address…”
In other words, there is simply a lot of work left to be done to ensure electronic voting is as secure and reliable as the old paper ballot.
Technical Factors vs. Human Factors
While much emphasis is put on secure technology in electronic voting from technological threats, the issue that must be equally if not even more addressed is the human element.
For electronic voting to be as secure as possible, companies that operate electronic voting platforms have to have rigid internal policies on their employees, including security checks, resistance to “social engineering” and processes that prevent unlawful interference or alteration of the vote record by company employees. There seems to be little documentation in this regard.
Electronic voting also presents the problem that there is no way to validate that an internet/telephone vote is being cast by the named elector. You can have a situation where a head of a household commandeers voter information letters of all those in the house and knowing the personal information of those family members, simply casts all those ballots as they see fit. Those kind of hijinks cannot occur with the paper ballot at a polling station.
Is Internet/Telephone Voting A Concern For You?
In most regards, there is probably no issue with you casting a ballot by internet or telephone in this municipal election. However, every vote that comes in electronically validates that people are complacent with a system that is at-present inherently flawed. It is great that these systems increase accessibility to the ballot, but they still have much work to be done on them to be equal to paper ballots.
For this author and many, the paper ballot is still the gold standard and will be for some time to come. It may be a little more inconvenient but it is a much simpler and accountable process open to scrutiny, unlike the “black box” of a US company who has a history of flaws and will not allow independent and open scrutiny of the complete source code of their voting platform.
See you at the polls!