This post originally appeared on MIT Technology Review
An increasingly popular online election app is riddled with critical security vulnerabilities, according to a new study from researchers at MIT. They conclude that hackers who strike the Voatz app can potentially alter, stop, or expose individual votes.
The news comes just weeks after a hastily made app fell apart during the Democratic Party’s Iowa caucus, a high-profile failure that put a spotlight on how faulty technology can undermine democratic processes.
“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” said Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab, who guided the research. “We cannot experiment on our democracy.”
Get out the Voatz: Voatz has already been used as a pilot program in federal elections, most recently the 2018 midterm elections in West Virginia as well as previous ballots in Denver, Oregon, and Utah. Around 600 voters were involved, according to the company. Thousands more are set to use the app this year.
Sticks and stones: In response to the study, the company that produced Voatz accused the researchers of faulty analysis, “untested claims,” and “bad faith recommendations.”
In a lengthy statement, the company said the cybersecurity researchers were aiming primarily for media attention and claimed that they seek to “disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
In fact, the researchers took their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency in January, which led DHS to hold private briefings for election officials using Voatz.
“We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” the company said in a statement. “Pilot programs like ours are invaluable.”
Expert consensus: The issue of online voting is much bigger than this single study. Cybersecurity experts largely agree that online voting is an enormous risk and that no elections should be held online at this point for fear of security issues that could change the results of an election.
“The consensus of security experts is that running a secure election over the internet is not possible today,” said James Koppel, one of the MIT researchers. “The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today’s software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take.”
A landmark 2018 report from the National Academies of Sciences concluded that online voting systems should not be used until they can be verified as trusted and secure.
“The choice here is not about turnout,” the report said, “but about an adversary controlling the election result and a loss of voter privacy.”
