National: Why you can’t trust your vote to the internet | Brett Winterford/CyberScoop
A common adage in information security is that most startups don’t hire their first full-time security engineer until they’ve got around 300 employees. If an app only stores public data and has no need to authenticate users, that might not present much of a problem. But when an app needs to be trusted to protect the confidentiality of a person’s political preference, it’s something else entirely. It’s why Tusk Philanthropies — an organization devoted to bringing mobile voting to the masses — is playing matchmaker between a half-dozen mobile voting startups and the security experts that can help bring them up to snuff. The team at Trail of Bits — a boutique software security firm based in New York — was commissioned by Tusk in late 2019 to conduct a thorough ‘white box’ security test of mobile voting app Voatz, an app used in five states. The testers would have full access to all the source code and documentation they required to discover security gaps and recommend fixes. The code looked sound, as it was clearly written by highly competent engineers. But after waiting over a week for technical documentation they requested from the startup, the Trail of Bits team had nothing to work off beyond a single page that amounted to a security policy.