The day after a Utah legislative committee voted unanimously to direct the state elections office to study online voting, a report released Thursday outlined several possible security vulnerabilities within the only internet voting app currently in use in the state.
Researchers at the Massachusetts Institute of Technology found that the Voatz app — which Utah County offered to overseas and disabled voters in its last election — is riddled with security issues and privacy problems that could provide the opportunity for hackers to alter, stop or expose an individual user’s vote.
“Given the severity of failings discussed in this paper, the lack of transparency, the risks to voter privacy, and the trivial nature of the attacks, we suggest that any near-future plans to use this app for high-stakes elections be abandoned,” the paper concludes.
Utah County Clerk Amelia Powers Gardner said she has been in contact with both the researchers at MIT and the Department of Homeland Security, which organized a series of briefings with local officials using the technology in response to the report.
After those conversations, Gardner said she’s confident the system is sound and noted that the county has no plans to pull the plug on the application’s use in the upcoming presidential primary elections.
“The entire report is based on an older, outdated version of the app,” she said in a phone interview with The Salt Lake Tribune on Thursday. “Plus the parameters that they had, that they outlined, they don’t match our system as far as creating a security vulnerability.”
In September, the county conducted a Facebook Live audit of the 24 ballots submitted through the app and found no issues.
Voatz, in a news release Thursday, labeled the report as “fundamentally flawed” and said it was part of a “systematic effort to dismantle any online voting pilots.”
Voatz security analysis by The Salt Lake Tribune on Scribd
“These attempts effectively choke any meaningful conversation and learnings around the safe integration of technology to improve accessibility and security in our elections,” the company said. “The effect is to deny access to our overseas citizens, deployed military servicemen and women, their families, and citizens with disabilities.”
In addition to their findings around security and privacy vulnerabilities, researchers at MIT also point to a need for transparency and openness in election administration to ensure the integrity of elections and call on software developers to prove their systems are as safe as paper ballots.
“None of the vulnerabilities we discovered are novel,” they note in the report, but argue that “had Voatz been more public about their system, these faults would have been easily recognizable" and could have helped the company secure its system earlier on.
While Gardner acknowledged that the Voatz system “isn’t perfect,” she argued it’s better than the status quo, where members of the military and others living abroad have traditionally had to rely on absentee paper ballots or email, which eliminates the right to an anonymized ballot.
“So what was determined is, ‘Yeah, is there possibly some risk [under Voatz]?’ Yes,” she said. “But is that risk higher than if this person used their email to vote? Absolutely not. Email is significantly less secure than this system.”
While Utah County has hailed its pilot project as a way to engage more voters, skeptics have long raised concerns about election hacking of the app, which uses blockchain technology to keep information safe and anonymized in conjunction with mobile technology and biometric information that verifies a voter’s identity.
Among the critics is Marian Schneider, president of Verified Voting, a national nongovernmental organization that advocates for more secure elections. On Thursday, she said the report should “concern all jurisdictions considering using a mobile app for voting.”
“Many questions remain about how a mobile app like Voatz would be able to recover from a hack,” she said in a written statement to The Tribune. “Mobile voting apps have yet to demonstrate their ability to detect any hack or error and recover from it. The use of a mobile app for voting, given these findings, could cause more distrust in the voting process rather than bolstering confidence."
The MIT report comes out on the heels of a poor showing for online voting at the Iowa presidential caucuses earlier this month, where a smartphone app for reporting results failed widely, leading to a dayslong delay in reporting results and no clear winner.
Those issues were top of mind for a few state lawmakers during a legislative committee hearing on Wednesday, as they considered a proposal that would require the lieutenant governor to study and make a recommendation by Oct. 31, 2021, about whether the state should implement an internet voting system.
The bill’s sponsor, Rep. Mike McKell, R-Spanish Fork, said there have been myriad problems with these new technologies — including when used among Utah Republicans in their caucuses.
“I can’t remember ever not having a problem,” he said.
But amid a push nationally and locally to find ways to vote with apps and online, this bill “simply directs the lieutenant governor’s office to start asking the question of feasibility and whether or not it’s a good idea in the first place,” McKell added.
HB292, which passed unanimously out of the House Government Operations Committee and now moves for consideration to the full House, requires that study include an evaluation of the possible benefits and risks of online voting as well as financial costs and the impact on voter turnout.
In an interview with The Salt Lake Tribune last summer, Voatz director of product Hilary Braseth anticipated that mobile voting or something like it will become more commonplace in future election cycles.
There’s an “appetite for convenience among people in the country,” she said, especially among millennials. “So whether it happens with Voatz, whether it happens with other entities, I think in 10 years, we will see a different picture somewhat of who and how people are voting and what methods they’re using."