Updated Thursday, Feb. 13, 2020 at 4:05 p.m.
A mobile voting application used in West Virginia’s 2018 election cycle is susceptible to various vulnerabilities, according to a study released Thursday by researchers at the Massachusetts Institute of Technology. But the company behind the technology is disputing the findings and recommendations of the study.
A security analysis of the application Voatz shows a number of weaknesses, including the opportunity for hackers to change how a person has voted. Researchers also found that the application’s use of a third-party vendor for voter identification and verification poses potential privacy issues.
“[O]ur analysis has shown that this application is not secure. A passive network adversary can discover a user’s vote, and an active one can disrupt transmission in response. An attacker that controls a user’s device also controls their vote, easily brushing aside the app’s built-in countermeasures,” the paper’s conclusion reads. “And our analysis of the protocol shows that one who controls the server likely has full power to observe, alter, and add votes as they please.”
The company, however, disputes the findings of the MIT analysis. Voatz said the researchers were presenting "bad faith recommendations" by testing an old version of the application that was not used in any real elections.
"Voatz has worked for nearly five years to develop a resilient ballot marking system, a system built to respond to unanticipated threats and to distribute updates worldwide with short notice," the company said in a statement posted online Thursday. "It incorporates solutions from other industries to address issues around security, identity, accessibility, and auditability."
The MIT analysis comes amid a growing debate over how to balance attempts to increase voter turnout with security concerns. Groups like Tusk Philanthropies have advocated for a rollout of mobile voting tech technologies like Voatz by funding pilots for elections in various states and municipalities.
That includes West Virginia.
In 2018, the Secretary of State’s office implemented a mobile voting pilot program for overseas military absentee voters. Tusk Philanthropies footed the bill for counties who took part in the pilot.
For the general election, 144 voters from 21 counties made use of the Voatz app to cast a ballot. State officials have said paper ballot audits on Election Day 2018 show that votes cast using the application were accurate as intended by the voter.
Michael Specter and James Koppel — two graduate students from MIT’s Department of Electrical Engineering and Computer Science — conducted the security analysis of Voatz under the guidance of Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab.
The study’s authors echo other election security experts who have cautioned against using internet-facing technologies to cast ballots.
“The consensus of security experts is that running a secure election over the internet is not possible today,” Koppel said in a news release accompanying the release of the paper. “The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today’s software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take.”
But places like West Virginia have already taken that risk — at least to some degree.
Research published last year by the University of Chicago — funded by Tusk Philanthropies — touted West Virginia’s mobile voting pilot using Voatz as a success and that it increased voter turnout for the population affected. However, the paper also noted heavy concerns over security with electronic and internet-facing voting technologies.
An audit of Voatz, declassified this week by the U.S. Department of Homeland Security’s Hunt and Incident Response Team (HIRT), showed there were no threats detected — but the app showed some room for improvement.
“During the one-week on-site engagement and subsequent remote analysis on the data collected, HIRT analysts did not detect threat actor behaviors or artifacts of past activities on the in-scope portions of the Voatz networks. HIRT identified some areas where defense-in-depth protections and configurations could be improved to help Voatz’s IT security personnel defend their enterprise network,” the conclusion of the DHS audit reads.
However, opportunities for more rollouts of applications like Voatz could still be on the way in West Virginia.
Donald “Deak” Kersey, who serves as general counsel for West Virginia’s Secretary of State’s office, said elections officials have not yet made a decision on whether or not to use Voatz as part of complying with the state’s new law.
“As technology advances to provide additional security and accessibility for the voters, the state’s due diligence process regarding technology options and vendors also continues,” Kersey said in an email. “It is our goal to maintain the integrity of our elections and voters’ confidence in the results, while finding the most secure method available that allows every voter the opportunity to vote regardless of their physical disability or geographic location.”
Kersey said the Secretary of State’s office will decide by March 1 on what technology will be used for the upcoming primary election.
West Virginia’s primary election is May 12.