The for-profit company wants to make absentee voting easier for members of the military, people with disabilities, and older adults, but its biggest test included only 15,000 voters.
In a conference call on Thursday, Voatz responded to a MIT researcher’s critique of its voting app. In the call, Voatz vice president Hilary Braseth said that the company has run more than 50 elections since 2016, including nine targeted pilots in five states.
“These governmental pilots have all been declared successes by the jurisdictions,” she said, adding that some people who participated in the process said they hadn’t voted for decades.
Voatz combines a smartphone app, biometric verification, and hyperledger blockchain to make voting easy for people who can’t physically make it to the ballot box. The company wants to increase voter turnout among military men and women serving overseas, disabled people, and older voters.
SEE: Iowa caucus app fiasco: How it happened and lessons learned (free PDF) (TechRepublic)
One of Voatz’s biggest complaints was that the MIT researchers didn’t contact the company directly during the review of the system.
“I think it would have been a lot better had they collaborated with us instead of attacked us,” said senior vice president Larry Moore during the conference call.
Criticism of the Voatz app
The Voatz team said that the researchers used an old version of the app and unrealistic scenarios in the exercise. Nimit Sawhney, CEO and co-founder said that the side channel problem called out in the report was fixed months ago. He added that exploiting that kind of vulnerability is difficult because of the small number of voters and the distributed nature of absentee voters.
“They’re distributed around the world, (so) breaking into network routers, cell towers, isolating individual voters, breaking into their devices … it’s not realistic at all,” he said.
The company has a bug bounty program and has worked with independent third-party organizations to do source code reviews and security reviews, including:
- Unintended data leakage
- Attack on binary protections
- Local and remote injection attacks
- Unauthorized information disclosure attacks
- Application reverse engineering or decompilation
- Common authentication and authorization issues
Questions about scale and transparency
In its FAQ section, Voatz reports that 15,000 people voted in its biggest test. The MIT critique focused on a 600-vote test. Scale is important with any new voting system, even if the target population is a subset of all registered voters. The app and blockchain verification system will have to work with significantly more users than even this biggest test to serve even one of the target groups.
For example, as of 2017, Virginia had 115,280 active and reserve duty military members. In the 2016 election, 566,948 people voted absentee in that state. Even if only half of those military members voted in a state-wide election, that would be almost double the voters from Voatz’s biggest test. If a state is going to extend the electronic voting option to elderly voters and disabled people, that number would get even bigger.
The other problem is a lack of transparency. Voatz is a for-profit company, and for that reason, refuses to release its source code. In addition to the bug bounty, the company has a post-election audit process to verify that every ballot submitted using Voatz reflects the voter’s intent and that the count is accurate.
“These audits are critical to both involving the community in our innovation process, but also ensuring that every single ballot submitted on our system can be verified independently without compromising the voter’s anonymity,” Braseth said.
Even so, trust is critical for digital versions of analog systems to be widely accepted. Voatz is providing a crucial service for underserved groups of voters. However, it is also making money from the process. This will always raise suspicions among some voters. States also will have to take into account the additional cost of this form of absentee voting.
Another open question is the responsibility for testing these solutions. Vendors will have their own tests, but states should work with third-party evaluators to do their own security and load testing.
How the Voatz electronic voting system works
To verify a voter’s identity, the Voatz app uses a three-step process that uses the smartphone’s camera and its fingerprint recognition or facial recognition. To start the process, the voter:
- Scans a state driver’s license or passport
- Takes a live facial snapshot
- Touches the fingerprint reader on the smartphone to connect the voter’s device to the voter
Once the voter is authenticated, the app matches the voter’s “selfie” to the facial picture on their passport or driver’s license and confirms the voter’s eligibility to vote against the state’s voter registration database.
Next, election officials send a qualified voter a mobile ballot that contains “tokens”—potential votes—which are cryptographically tied to a candidate or ballot measure question. A voter receives the same number of tokens as the number of ovals he or she would have received on a paper ballot.
The voter then selects candidates or decides how to vote on a referendum. Next the votes are verified by multiple distributed servers. After verification, the token is subtracted from the voter’s ledger and added to the candidate’s ledger. The blockchain on every verifier is automatically updated, and the process repeats as additional voters submit their selections.
Voatz uses the Hyperledger blockchain framework. Unlike permissionless blockchain frameworks like Bitcoin, a voter or auditor must first be verified to use this type of blockchain.
The process also generates a paper ballot on election night for every mobile vote recorded on the blockchain. Voters also receive a digitally-signed receipt to make sure their votes were recorded properly.