In May, West Virginia ran a limited pilot programme using Voatz’ “blockchain” voting system, which I wrote about in June — it’s actually a mobile phone voting system, with a blockchain tacked on the side. This was for military people who were eligible to vote in Harrison and Monongalia Counties, but were stationed overseas.
West Virginia were sufficiently impressed to use the Voatz system again, for this November’s mid-term elections. This was reported on local WVNews sites at the end of July, but exploded when CNN reported it yesterday.
And my June post took off again, my Twitter mentions melted, and I was quoted in a Vanity Fair article today on the kerfuffle. So what’s going on here?
Why would you run a mobile phone vote?
Mobile phone voting sounds like an obviously terrible idea in all sorts of ways. But they need to solve a genuine problem:
“Think of a soldier on a hillside in Afghanistan or a sailor under the polar ice caps. They don’t have access to U.S. mail. Sometimes they’re in a classified area such as a nuclear sub or simply don’t have access to scanners, fax machines and that sort of thing. They do have access to the internet, mobile devices. It’s a tremendous solution to a very difficult problem and with West Virginia having the highest per capita volunteers in the U.S. military, we owe it to them.”
“I’ve had voters who have overnighted to our jurisdiction and paid over $50 to do so, and it still didn’t get back to us by voting day.”
The voters are identified by biometrics. The Voatz system will be limited to military personnel on deployment — people whose biometrics are thoroughly known and documented. It’s entirely optional, and soldiers can use a conventional paper vote instead if they want to.
The pilot programme in May wasn’t huge — literally 11 voters from Monongalia County used the system. “I think all 11 military voters who used it in our county were pleased with it.”
Mobile phone voting: “a horrific idea”
Obviously, Voatz want to expand mobile phone voting. But the notion is controversial, to say the least:
“Mobile voting is a horrific idea,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told CNN in an email. “It’s internet voting on people’s horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote.”
Marian K. Schneider, president of the election integrity watchdog group Verified Voting, was even more blunt. Asked if she thought mobile voting is a good idea, she said, “The short answer is no.”
If mobile phone voting can be usably secure at all, it will only be in a small and highly constrained system such as these pilot programmes.
How the blockchain bit works
The “blockchain” part of Voatz’ system is functionally superfluous — it’s a ledger of the votes, kept on a four-node Hyperledger instance run entirely by the company. So it’s another single-user “blockchain” being used as a clustered database.
I must note that Voatz disagree with this characterisation, referring me to the FAQ on wvexperience.voatz.com (go to the page, click “Blockchain & Security” on the left):
Once the voter is verified, Election jurisdictions start the process by sending a qualified voter a mobile ballot. Contained in the mobile ballot are “tokens” — think of them as potential votes — which are cryptographically tied to a candidate or ballot measure question. The number of tokens a given voter receives is the same as the number of ovals he or she would have received on a paper ballot handed out at the voter’s precinct or sent through the mail. The voter makes selections on the Voatz app on their smartphone. As they make selections, it alters the tokens with their selections (like filling in a ballot oval). Overvotes are prevented, as each voter only receives a total number of tokens as they have potential votes. Once submitted, the votes for choices on the ballot are verified by multiple distributed verifying servers called “verifiers” or validating nodes. Upon verification, the token is debited (i.e. subtracted) from the voter’s ledger and credited (i.e. added) to the candidate’s ledger. The blockchain on every verifier is automatically updated and the process repeats as additional voters submit their selections.
The Voatz blockchain is built using the HyperLedger blockchain framework. The minimum number of validating nodes used is 4. These get expanded to 16 for the pilot as needed depending on the anticipated number of participants. Additional scaling is planned for the future.
Though I still think this constitutes a private clustered database — and certainly as long as Voatz control all verification nodes, or even if they control who gets to run a verification node.
The token arrangement seems bizarrely convoluted and gratuitous — cryptographic tokens are widely used, work well, and they don’t need a blockchain. This still feels to me like implementing a naturally-centralised system on a blockchain because you want to say you used a blockchain.
The functional aspect of the blockchain bit is promotional:
Secretary of State deputy legal counsel and elections officer Donald Kersey said this means votes on Voatz become immutable and tamper proof, with records virtually impossible to crack.
Anyone reading this knows that none of that automatically follows from bolting a blockchain onto the side of your system.
There’s also a huge problem with the idea of recording the votes themselves on a permanent ledger. Joseph Lorenzo Hall in Vanity Fair asks you to “imagine that in 20 years, the entire contents of your ballot are decryptable and publicly available” — rather than on pieces of paper that can’t be traced back to you personally.
Voatz in Utah, April 2018 — 1400 voters go back to using paper
One thing that has to work with absolutely 100% reliability is voters being able to vote at all.
Tony Adams notes the 14 April 2018 Republican County Convention in Utah County, Utah, a caucus with about 1400 voters. They tried using Voatz, and it scaled so badly that they had to revert to using paper ballots.
Here’s some voter reviews:
This app is terrible. Good thing there were backup paper ballots … seriously awful
Just wow! What an epic failure of an app. I had to sign up several times, validate, scan and wait wait wait for a “connection issue”. Me and the 1400 ish Delegates ended up doing paper ballots which made our convention go several hours overtime.
After going through the lengthy and counter-intuitive verification process, I could not understand the directions and ended up calling them over the phone before the Utah County Republican precinct caucus meeting. I was exited to vote and still be with my kids. When voting was supposed to happen the server was over loaded. Eventually the app stopped working. I had to reinstall and reverify. Could not vote. The next day I come to find out my precinct gave up on the app and just used paper ballots instead. Major let down.
Bye the way it also failed during many local caucus meetings a few weeks before. Out of 273 caucus meetings it only worked for three of them.
Voatz’ security embarrassments
Election manipulation is, of course, huge news at the moment. So Voatz should have expected tremendous scrutiny of their security and technological transparency, in every detail.
It’s unfortunate they had an old server still up — always remember to stop your old Amazon Web Services instances! — for Kevin Beaumont to find at a glance:
The Voatz website is running on a box with out of date SSH, Apache (multiple CVSS 9+), PHP etc. Pop3 to the Internet, NTP, PHP3, Plesk from 2009. The database (on Azure) has an admin panel on port 8080, no SSL. I’m off to bed.
The United States needs some form of vetting process for online voting in elections. I’m a foreign dude with an avatar of a cowboy porg riding a porg dog on Twitter who appears to have done more investigation of the security implications of this than anybody. Bonkers, America.
If a startup (I’m sure they’re nice people btw) with 2m in funding approaches and says they have biometric security and Blockchain it still need independent vetting, at least to level a crab paste company would get a HR provider. There needs to be oversight here.
I can’t even find a Voatz CISO (or security person) to report stuff to. They have long unpatched boxes and weird services online, this wouldn’t pass a crab paste company pentest.
I used to work for a crab paste company with little to no IT budget, I wouldn’t have accepted this into production, but apparently the world’s most prosperous nation will.
Voatz say this was an old test site — but leaving exploitable old servers up is a gateway to your new stuff. Did they check that nobody could get from the old server to the new servers? Are they in different Amazon VPCs?
Crucially, I find it unlikely that if you're running a Plesk from 2009 and a run of the mill poorly written PHP app on the user facing site that your security is all that great on the backend. There's at least someone in the org that is totally fine with an exploitable site.
— Keith Gable 🇺🇦🌻 (@ZiggyTheHamster) August 7, 2018
Voatz claim the West Virginia election site was audited by Security Innovation, Ingalls Information Security, Hacker One, Comodo/HackerGuardian and Qualys SSL Labs.
Kevin asked them about this, and says that “One of the companies listed as providing a security audit says they did not provide a security audit.”
Hacker One just means Voatz have a bug bounty programme — though I couldn’t find where they’ve listed it. Edit: it’s on Hacker One’s own site.
Qualys just provides a free SSL server test for any public website — and Voatz do seem to mean the free SSL test, as the free test of their website was the link they provided to Vanity Fair as a sample of their security practices.
In fact, Voatz tweeted this quick SSL server test as evidence their servers had passed penetration tests.
Yes, you can do a quick self verification SSL test here to get a sample of that – https://t.co/7GEZRPqdXX
We always appreciate constructive feedback to improve.
— Voatz (@Voatz) August 7, 2018
Summary
To be fair, the Twitter is probably just the social media person, having an absolutely terrible day — not one of the technical people. But they need to get the techies on the job straight away.
The failure to scale in Utah is a serious problem, though overseas military voters are likely to be a small enough use case for the system to cope.
But mobile phone voting worries people a lot.
Voatz need to put out public reports — as fully detailed and transparent as is feasible — on every aspect of the entire system, as soon as they can.
Treat every scornful tweet today as a pointer to an opportunity to excel. A chance to restore confidence.
@Voatz, we're not just being mean. You're going to be hit by the best state and private hackers in the world. Be prepared or go away.
— Al Swearengen (@E_A_Swearengen) August 7, 2018
Update: Voatz have responded to everyone’s security concerns! “In the West Virginia pilot, a paper ballot is printed for each mobile ballot submitted on the blockchain, then tabulated like a normal absentee ballot.”
Your subscriptions keep this site going. Sign up today!
Their page on hackerone is here: https://hackerone.com/voatz
blerkchain derpchain, and most reputable organizations like the CCC strongly oppose electronic voting, BUT… couldn’t voting be quite simply be implemented with just a git backend?
the registration office distributes a set of keys to all voters, or the voters create their keypair and send their public key to the registration office.
the office checks all voters are eligible, and the list of their keys is the first commit signed by the registration office.
(timestamping this on the bitcoin blockchain would be possible but should only be necessary.)
every vote is practically a pull request.
all pull requests are merged by the registration office.
every voter can check the canonical main branch that their vote has been counted correctly by updating the git repo.
(maybe an optional bitcoin blockchain timestamp here too.)
one problem remains: as long as voters don’t publicly announce their public keys, their vote is secret to everyone else, but the registration office can still look up who voted what. so one more step of indirection using cryptographic magic step is required, but it should be doable.
As usual Randall Munro sums up the situation https://xkcd.com/2030/