{"id":9010,"date":"2018-08-07T18:43:25","date_gmt":"2018-08-07T18:43:25","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=9010"},"modified":"2022-06-30T18:07:24","modified_gmt":"2022-06-30T18:07:24","slug":"west-virginia-and-the-voatz-blockchain-voting-system-scaling-and-security-concerns","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2018\/08\/07\/west-virginia-and-the-voatz-blockchain-voting-system-scaling-and-security-concerns\/","title":{"rendered":"West Virginia and the Voatz “blockchain” voting system \u2014 scaling and security concerns"},"content":{"rendered":"

In May, West Virginia ran a limited pilot programme using Voatz’ “blockchain” voting system, which I wrote about in June<\/a> \u2014 it’s actually a mobile phone voting system, with a blockchain tacked on the side. This was for military people who were eligible to vote in Harrison and Monongalia Counties, but were stationed overseas.<\/p>\n

West Virginia were sufficiently impressed to use the Voatz system again, for this November’s mid-term elections.<\/a> This was reported on local WVNews sites at the end of July,<\/a> but exploded when CNN reported it yesterday.<\/a><\/p>\n

And my June post took off again, my Twitter<\/a> mentions melted, and I was quoted in a Vanity Fair article<\/a> today on the kerfuffle. So what’s going on here?<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

Why would you run a mobile phone vote?<\/h3>\n

Mobile phone voting sounds like an obviously terrible idea in all sorts of ways. But they need to solve a genuine<\/a> problem:<\/a><\/p>\n

“Think of a soldier on a hillside in Afghanistan or a sailor under the polar ice caps. They don\u2019t have access to U.S. mail. Sometimes they\u2019re in a classified area such as a nuclear sub or simply don\u2019t have access to scanners, fax machines and that sort of thing. They do have access to the internet, mobile devices. It\u2019s a tremendous solution to a very difficult problem and with West Virginia having the highest per capita volunteers in the U.S. military, we owe it to them.”<\/p>\n

\u201cI\u2019ve had voters who have overnighted to our jurisdiction and paid over $50 to do so, and it still didn\u2019t get back to us by voting day.\u201d<\/p><\/blockquote>\n

The voters are identified by biometrics. The Voatz system will be limited to military personnel on deployment \u2014 people whose biometrics are thoroughly known and documented. It’s entirely optional, and soldiers can use a conventional paper vote instead if they want to.<\/p>\n

The pilot programme in May wasn’t huge \u2014 literally 11 voters from Monongalia County used the system. “I think all 11 military voters who used it in our county were pleased with it.”<\/p>\n

Mobile phone voting: “a horrific idea”<\/h3>\n

Obviously, Voatz want to expand mobile phone voting. But the notion is controversial,<\/a> to say the least:<\/p>\n

“Mobile voting is a horrific idea,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told CNN in an email. “It’s internet voting on people’s horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote.”<\/p>\n

Marian K. Schneider, president of the election integrity watchdog group Verified Voting, was even more blunt. Asked if she thought mobile voting is a good idea, she said, “The short answer is no.”<\/p><\/blockquote>\n

If mobile phone voting can be usably secure at all, it will only be in a small and highly constrained system such as these pilot programmes.<\/p>\n

How the blockchain bit works<\/h3>\n

The “blockchain” part of Voatz’ system is functionally superfluous \u2014 it’s a ledger of the votes, kept on a four-node Hyperledger instance run entirely by the company. So it’s another single-user “blockchain”<\/a> being used as a clustered database.<\/p>\n

I must note that Voatz disagree<\/a> with this characterisation, referring me to the FAQ on wvexperience.voatz.com<\/a> (go to the page,<\/a> click “Blockchain & Security” on the left):<\/p>\n

Once the voter is verified, Election jurisdictions start the process by sending a qualified voter a mobile ballot. Contained in the mobile ballot are “tokens” \u2014 think of them as potential votes \u2014 which are cryptographically tied to a candidate or ballot measure question. The number of tokens a given voter receives is the same as the number of ovals he or she would have received on a paper ballot handed out at the voter’s precinct or sent through the mail. The voter makes selections on the Voatz app on their smartphone. As they make selections, it alters the tokens with their selections (like filling in a ballot oval). Overvotes are prevented, as each voter only receives a total number of tokens as they have potential votes. Once submitted, the votes for choices on the ballot are verified by multiple distributed verifying servers called “verifiers” or validating nodes. Upon verification, the token is debited (i.e. subtracted) from the voter’s ledger and credited (i.e. added) to the candidate’s ledger. The blockchain on every verifier is automatically updated and the process repeats as additional voters submit their selections.<\/p>\n

The Voatz blockchain is built using the HyperLedger blockchain framework. The minimum number of validating nodes used is 4. These get expanded to 16 for the pilot as needed depending on the anticipated number of participants. Additional scaling is planned for the future.<\/p><\/blockquote>\n

Though I still think this constitutes a private clustered database \u2014 and certainly as long as Voatz control all verification nodes, or even if they control who gets to run a verification node.<\/p>\n

The token arrangement seems bizarrely convoluted and gratuitous \u2014 cryptographic tokens are widely used, work well, and they don’t need a blockchain. This still feels to me like implementing a naturally-centralised system on a blockchain because you want to say you used a blockchain.<\/p>\n

The functional aspect of the blockchain bit is promotional:<\/a><\/p>\n

Secretary of State deputy legal counsel and elections officer Donald Kersey said this means votes on Voatz become immutable and tamper proof, with records virtually impossible to crack.<\/p><\/blockquote>\n

Anyone reading this knows that none of that automatically follows<\/a> from bolting a blockchain onto the side<\/a> of your system.<\/p>\n

There’s also a huge problem with the idea of recording the votes themselves on a permanent ledger. Joseph Lorenzo Hall<\/a> in Vanity Fair asks you to “imagine that in 20 years, the entire contents of your ballot are decryptable and publicly available” \u2014 rather than on pieces of paper that can’t be traced back to you personally.<\/p>\n

Voatz in Utah, April 2018 \u2014 1400 voters go back to using paper<\/h3>\n

One thing that has to work with absolutely 100% reliability is voters being able to vote at all.<\/p>\n

Tony Adams notes<\/a> the 14 April 2018 Republican County Convention<\/a> in Utah County, Utah, a caucus with about 1400 voters. They tried using Voatz,<\/a> and it scaled so badly that they had to revert to using paper ballots.<\/p>\n

Here’s some voter reviews:<\/p>\n

This app is terrible. Good thing there were backup paper ballots … seriously awful<\/p>\n

Just wow! What an epic failure of an app. I had to sign up several times, validate, scan and wait wait wait for a “connection issue”. Me and the 1400 ish Delegates ended up doing paper ballots which made our convention go several hours overtime.<\/p>\n

After going through the lengthy and counter-intuitive verification process, I could not understand the directions and ended up calling them over the phone before the Utah County Republican precinct caucus meeting. I was exited to vote and still be with my kids. When voting was supposed to happen the server was over loaded. Eventually the app stopped working. I had to reinstall and reverify. Could not vote. The next day I come to find out my precinct gave up on the app and just used paper ballots instead. Major let down.<\/p>\n

Bye the way it also failed during many local caucus meetings a few weeks before. Out of 273 caucus meetings it only worked for three of them.<\/p><\/blockquote>\n

Voatz’ security embarrassments<\/h3>\n

Election manipulation is, of course, huge news at the moment.<\/a> So Voatz should have expected tremendous<\/em> scrutiny of their security and technological transparency, in every detail.<\/p>\n

It’s unfortunate they had an old server still up<\/a>\u00a0\u2014 always remember to stop your old Amazon Web Services instances!\u00a0\u2014 for Kevin Beaumont to find at a glance:<\/a><\/p>\n

The Voatz website is running on a box with out of date SSH, Apache (multiple CVSS 9+), PHP etc. Pop3 to the Internet, NTP, PHP3, Plesk from 2009.<\/a> The database (on Azure) has an admin panel on port 8080, no SSL. I\u2019m off to bed.<\/p>\n

\"\"<\/a>The United States needs some form of vetting process for online voting in elections. I\u2019m a foreign dude with an avatar of a cowboy porg riding a porg dog on Twitter who appears to have done more investigation of the security implications of this than anybody. Bonkers, America.<\/p>\n

If a startup (I\u2019m sure they\u2019re nice people btw) with 2m in funding approaches and says they have biometric security and Blockchain it still need independent vetting, at least to level a crab paste company would get a HR provider. There needs to be oversight here.<\/p>\n

I can\u2019t even find a Voatz CISO (or security person) to report stuff to. They have long unpatched boxes and weird services online, this wouldn\u2019t pass a crab paste company pentest.<\/p>\n

I used to work for a crab paste company with little to no IT budget, I wouldn\u2019t have accepted this into production, but apparently the world\u2019s most prosperous nation will.<\/p><\/blockquote>\n

Voatz say this was an old test site \u2014 but leaving exploitable old servers up is a gateway to your new stuff. Did they check that nobody could get from the old server to the new servers? Are they in different Amazon VPCs?<\/p>\n

 <\/p>\n

\n

Crucially, I find it unlikely that if you're running a Plesk from 2009 and a run of the mill poorly written PHP app on the user facing site that your security is all that great on the backend. There's at least someone in the org that is totally fine with an exploitable site.<\/p>\n

— Keith Gable \ud83c\uddfa\ud83c\udde6\ud83c\udf3b (@ZiggyTheHamster) August 7, 2018<\/a><\/p><\/blockquote>\n