Internet Voting

Tag Archive

Utah: Mobile voting system used in Utah County subject of attempted 2018 West Virginia breach | Graham Dudley/KSL

The FBI is investigating an attempted intrusion of the Voatz mobile voting system during West Virginia’s 2018 midterm elections, officials announced last week, throwing a spotlight onto an experimental app that Utah County used for the first time in this year’s primary elections. Mike Stuart, U.S. attorney for the Southern District of West Virginia, said in a statement that there was “no intrusion and the integrity of votes and the election system was not compromised.” Stuart also said that the FBI investigation into the attempt is ongoing and that it’s still not determined whether any federal laws were violated. Voatz is a new technology allowing overseas voters, like missionaries and U.S. military personnel, an alternative to email or traditional mail-in voting, which have long sparked concerns over security and anonymity risks. It’s an app that uses blockchain technology, a sort of public digital ledger, to encrypt and secure votes.

Full Article: Mobile voting system used in Utah County subject of attempted 2018 West Virginia breach | KSL.com.

West Virginia: The FBI is investigating West Virginia’s blockchain-based midterm elections | Matthew De Silva/Quartz

During the 2018 midterm elections, somebody tried to hack Voatz, the blockchain-based voting system used by West Virginia. The attack was unsuccessful, but is under investigation by the FBI, said Andrew Warner, West Virginia’s secretary of state in an Oct. 1 press conference. “In last year’s election, we detected activity that may have been an attempt to penetrate West Virginia’s mobile voting process,” said Warner. “No penetration occurred and the security protocols to protect our election process worked as designed. The IP addresses from which the attempts were made have been turned over to the FBI for investigation. The investigation will determine if crimes were committed.” The hacking attempt may have stemmed from an election security class at the University of Michigan, CNN reported Friday (Oct. 4). Last November, 144 West Virginian voters—including active members of the US military serving overseas—used Boston-based Voatz, a blockchain-enabled smartphone application, to cast their ballots for the Senate and House of Representatives as well as for state and local offices. That’s a small number, but could be consequential, especially in close races. Four seats in West Virginia’s House of Delegates were decided by less than 150 votes.

Full Article: The FBI is investigating West Virginia's blockchain-based midterm elections — Quartz.

West Virginia: Alleged mobile voting app hack linked to University of Michigan | Benjamin Freed/StateScoop

Federal investigators looking into an alleged hacking attempt against the mobile app that West Virginia officials used to collect ballots from overseas voters in the 2018 election are determining if the incident was the result of computer-science students at the University of Michigan testing for vulnerabilities. CNN reported Friday that the FBI is investigating “a person or people” who attempted to access the app — Voatz — as part of a cybersecurity course at University of Michigan, which is one of a handful of universities with a curriculum focused on election security. Mike Stuart, the U.S. attorney for West Virginia, revealed the investigation last Tuesday, saying that during the 2018 election cycle his office was alerted by West Virginia Secretary of State Mac Warner that there was an “attempted intrusion by an outside party” to access the Voatz app. According to state officials and the app’s developers, Voatz is designed only to grant ballot access to qualified voters who go through multiple layers of biometric identification, including facial-recognition and fingerprint scanning.

Full Article: Alleged mobile voting app hack linked to University of Michigan.

West Virginia: Hackers try to access West Virginia’s mobile voting app | GCN

Someone tried to hack into West Virginia’s blockchain-enabled mobile voting system during the 2018 election cycle. The attack happened during the pilot rollout of West Virginia’s mobile voting pilot that uses a smartphone application developed by Boston-based Voatz to enable eligible overseas voters to receive and return their ballot securely using a mobile device. The app lets military and overseas voters who qualify under the Uniformed and Overseas Citizens Act verify their identities by providing biometric proof in the form of a photo of their driver’s license, state ID or passport that is matched to a selfie. Once voters’ identities are confirmed, they receive a mobile ballot based on the one that they would receive in their local precinct. A confirmation message is sent to the voter’s smartphone when the vote is uploaded to the blockchain’s series of secure, redundant, geographically dispersed servers , which ensures the votes cannot be tampered with once they’ve been recorded.

Full Article: Hackers try to access West Virginia's mobile voting app -- GCN.

West Virginia: Hacking attempt reported against West Virginia’s mobile voting app | Benjamin Freed/StateScoop

The FBI is investigating an alleged hacking attempt against the mobile app that West Virginia officials used to collect ballots from some overseas voters during the 2018 election cycle, the Justice Department announced Tuesday. Mike Stuart, the U.S. attorney for West Virginia, said that during last year’s election cycle, his office received a report from West Virginia Secretary of State Mac Warner pertaining to an “attempted intrusion by an outside party” to access the app, Voatz, which Warner’s office has heralded as the future of voting for expat U.S. citizens, especially deployed members of the military. The attempt, Stuart continued, appeared to be unsuccessful, with no actual intrusion or effect on the 144 ballots that were cast in last year’s general election. “No penetration occurred and the security protocols to protect our election process worked as designed,” Warner said at a press conference Tuesday in Charleston, the state capital. Still, Warner said, the attempted intrusion was referred to the FBI for investigation as a “deterrent” against attempts by outside actors to interfere with the state’s election process.

Full Article: Hacking attempt reported against West Virginia's mobile voting app.

West Virginia: Attempted hack of military app investigated | Steve Allen Adams/The Intermountain

Federal and state officials announced this week an FBI investigation into an attempted hack on the new app for overseas deployed military voters and their families and warned others not to make the attempt. Mike Stuart, U.S. attorney for the Southern District of West Virginia, and Secretary of State Mac Warner held a press conference at the Robert C. Byrd Courthouse in downtown Charleston. According to Warner, there was an attempt to hack the Secure Military Voting Application during the 2018 elections. The mobile app allows deployed military and their families to download an app and vote for candidates after they apply to use the app and are approved. “In last year’s election, we detected activity that may have been an attempt to penetrate West Virginia’s mobile voting process,” Warner said. “No penetration occurred and the security protocols to protect our election process worked as designed.” During the mobile voting process, the virtual ballot is encrypted and secured utilizing blockchain technology, then sent to the voter’s county clerk in West Virginia where their ballot is printed and tabulated. West Virginia was the first state to use mobile voting, first in a pilot project during the 2018 primary election, then a full rollout for any county that wanted to participate in the 2018 general election.

Full Article: Attempted hack of military app investigated | News, Sports, Jobs - The Intermountain.

West Virginia: FBI called in to investigate 2018 Mountain State mobile voting system hacking | Shaun Nichols/The Register

The state of West Virginia says someone attempted to hack its citizens’ votes during the 2018 mid-term elections. A statement issued this week by US Attorney Mike Stuart of the Southern District of West Virginia revealed that the FBI has been called in and is actively investigating at least one attempt to tamper with election results. “My office instituted an investigation to determine the facts and whether any federal laws were violated. The FBI has led that investigation,” Stuart said. “That investigation is currently ongoing and no legal conclusions whatsoever have been made regarding the conduct of the activity or whether any federal laws were violated.” According to the US attorney, the unknown hacker, only referred to as an ‘outside party’ tried (and failed) to get access to the mobile voting system the state used for military service members stationed overseas.

Full Article: FBI called in to investigate 2018 Mountain State mobile voting system hacking • The Register.

Canada: Online voting in Northwest Territories election questioned as recounts set to take place | Hilary Bird/CBC

With two recounts set to take place in the next 10 days, one candidate in Tuesday’s Northwest Territories election says he has some concerns with how online votes will be recounted. Under the Elections and Plebiscite Act of the Northwest Territories, races that won with a margin of less than two per cent must have judicial recounts within 10 days of the official results being released. That means ballots cast in the Frame Lake and Yellowknife North ridings will all need to be recounted by a judge. Rylund Johnson won in Yellowknife North by just five votes over incumbent Cory Vanthuyne. Johnson got 501 votes; Vanthuyne received 496. In Yellowknife’s Frame Lake riding, incumbent Kevin O’Reilly won by a slim margin with 357 votes. The riding’s only other candidate, former minister Dave Ramsay, received 346 votes. Ramsay told CBC News Wednesday that he has already seen discrepancies between unofficial numbers reported by Elections NWT Tuesday evening and numbers reported Wednesday morning after returning officers double-checked the polls.

Full Article: Online voting in N.W.T. election questioned as recounts set to take place | CBC News.

Mexico: Mexicans living abroad could cast their vote online for the first time in 2021 | Alexandra Mendoza/The San Diego Union-Tribune

Mexicans living abroad could cast their vote online as soon as the 2021 midterm elections. For almost 15 years, voters wanting to participate in Mexican elections from outside the country voted by mail. The new process of voting online will have to go through several tests to make sure it is error free, according to Enrique Andrade, a counselor with Mexico’s National Electoral Institute (INE). “It’s not something simple,” he said during a recent visit to San Diego. “It’s going to depend a lot on the trust in the system”. In the 2018 elections, about 182,000 Mexicans registered to vote from abroad and 54 percent cast their ballots. In 2012, almost 60,000 Mexicans registered to vote, with 69 percent participating in the election. Last year was the third time that Mexicans were allowed to vote from abroad, but the first one in which they could apply for the credential to vote in the consulate.

Full Article: Mexicans living abroad could cast their vote online for the first time in 2021 - The San Diego Union-Tribune.

West Virginia: FBI investigating attempted breach of Voatz mobile voting app | Mark Albert/WTAE

One or more people tried to penetrate West Virginia’s mobile voting system during the Midterm election, the Hearst Television National Investigative Unit has confirmed, leading to new worries about the security of certain election platforms ahead of next year’s general election. The Mountain State was the first to use mobile voting for military and overseas voters. Tuesday’s announcement in the state capital of Charleston by state and federal authorities of the attempted breach came on the first day of National Cybersecurity Awareness Month. The U.S. Attorney for the Southern District of West Virginia, Mike Stuart, says the case has now been turned over to the Federal Bureau of Investigation for investigation. Sources tell the National Investigative Unit the attempted intrusion of the mobile voting app is believed to have come from inside the U.S., not from overseas. At a news conference Tuesday afternoon at the federal courthouse in Charleston, Stuart delivered a warning to anyone who may attempt to breach an election system. “Don’t do it. Don’t even think about it. We’re serious about maintaining the integrity of our election system and we will prosecute those folks who violate federal law,” Stuart said.

Full Article: FBI investigating attempted breach of mobile voting app.

National: Blockchain e-voting: Backed by US candidate, hacked in Moscow | Sarah Wray/SmartCitiesWorld

The debate over blockchain-based political voting re-emerged recently as Democratic US presidential hopeful Andrew Yang backs the technology to boost voter numbers and security, while a French researcher has hacked into the blockchain-based voting system which officials plan to use next month for the 2019 Moscow City Duma election. On his campaign website, Yang states that voting should be available via mobile devices with verification through blockchain. He argues that modernising voting with decentralised ledger technology could increase security, reduce inconsistent processes between states and restore confidence in democracy. Philip Boucher, a European Policy Research Service (EPRS) policy analyst, explains the theory behind blockchain voting: “In elections, we usually have a central authority that records, checks and counts all of the votes. With blockchain, the process is decentralised so everyone can hold a copy of the full voting record on their own devices. The data is encrypted to protect the identity of individual voters. Illegitimate votes cannot be added and the historical record cannot be changed because everyone holds a copy and can check that all of the votes comply with the rules and are counted properly.” Some have even suggested that in future, blockchain votes could be encoded into ‘smart contracts’ so that the results automatically take effect “like a self-implementing manifesto”. Several countries and local authorities have explored or experimented with the idea of digital voting.

Full Article: Blockchain e-voting: Backed by US candidate, hacked in Moscow - Smart Cities World.

Estonia: E-voting workgroup recommends more audits and observers | ERR

Experts put forward suggestions and recommendations at the second meeting of the e-election working group on Wednesday, commissioned by minister Kert Kingo (EKRE). Over the past month, committee members have submitted 30 suggestions for improvements. At the second meeting suggested proposals were put forward in three areas. Head of the working group Raul Rikk said that firstly more resources should be made available so that several independent auditors can check the processes of e-voting. He said this would increase their credibility in Estonia and around the world. The group is also proposing that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts. Rikk said this could be done, for example, by making it obligatory for a representative from each political party to attend the election counts. Experts could also be invited to follow the process or IT students could be encouraged to write reports. These changes would help to increase the number of people in society who have received training in the electoral process and understand the structure of the system, Rikk said.

Full Article: E-voting workgroup recommends more audits and observers | news | ERR.

Italy: The Five Star digital voting platform that could threaten a government deal in Italy | Franck Iovene/AFP

If Italy’s political parties can agree on a government deal, it would still need to clear a final hurdle: the online voting platform of the Five Star Movement (M5S), which has long championed so-called ‘digital democracy’.
The platform, named after the 18th-century French philosopher Jean-Jacques Rousseau, is supposed not only to empower ordinary citizens but guarantee transparency — but it has been slammed as secretive and vulnerable to cyber attacks. Launched in 2016, it currently has some 100,000 members, M5S chief Luigi Di Maio said in July. But critics have lamented a lack of official documentation or certification from a third party to attest that this figure is correct. The M5S’s blog says the number of people registered on “Rousseau” rose from 135,000 in October 2016 to nearly 150,000 in August 2017, before dropping to 100,000 a year later. But political analysts say it cannot be seen as representative of M5S supporters, as the membership numbers are a drop in the ocean compared to the 10.7 million Italians who voted for M5S in the 2018 general election.

Full Article: The Five Star digital voting platform that could threaten a government deal in Italy - The Local.

Australia: Where’s the proof internet voting is secure? | Vanessa Teague/Pursuit

Victoria’s Electoral Commissioner, Warwick Gately AM, says that Victoria should legislate to allow Internet voting because “there is an inevitability about remote electronic voting over the internet.” According to Mr Gately, the NSW iVote system has, “proven the feasibility of casting a secret vote safely and securely over the internet”. The key word here is “proven”. Anyone can claim that their system is secure and protects people’s privacy, but how would we know? Elections have special requirements. Ballot privacy is mandated by law. And elections must demonstrate that the result accurately reflects the choice of the people. So, what has iVote proven? In 2015, our team found that the iVote site was vulnerable to an internet-based attacker who could read and manipulate votes. The attack wouldn’t have raised any security warnings at either the voter’s or the NSW Electoral Commission (NSWEC) end, but it should have been apparent from iVote’s telephone-based verification. When the NSWEC claimed that “some 1.7 per cent of electors who voted using iVote® also used the verification service and none of them identified any anomalies with their vote,” we took that as reasonable evidence that the security problem hadn’t been exploited. But it wasn’t true.

Full Article: Where’s the proof internet voting is secure? | Pursuit by The University of Melbourne.

Russia: Moscow’s blockchain-based internet voting system uses an encryption scheme that can be easily broken | Sugandha Lahoti/Security Boulevard

Russia is looking forward to its September 2019 elections for the representatives at the Parliament of the city (the Moscow City Douma). For the first time ever, Russia will use Internet voting in its elections. The internet-based system will use blockchain developed in-house by the Moscow Department of Information Technology. Since the news broke out, security experts have been quite skeptical about the overall applicability of blockchain to elections. Recently, a French security researcher Pierrick Gaudry has found a critical vulnerability in the encryption scheme used in the coding of the voting system. The scheme used was the ElGamal encryption, which is an asymmetric key encryption algorithm for public-key cryptography. Gaudry revealed that it can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. The main problem, Gaudry says is in the choice of three cyclic groups of generators. These generators are multiplicative groups of finite fields of prime orders each of them being Sophie Germain primes. These prime fields are all less than 256-bit long and the 256×3 private key length is too little to guarantee strong security. Discrete logarithms in such a small setting can be computed in a matter of minutes, thus revealing the secret keys, and subsequently easily decrypting the encrypted data. Gaudry also showed that the implemented version of ElGamal worked in groups of even order, which means that it leaked a bit of the message. What an attacker can do with these encryption keys is currently unknown, since the voting system’s protocols weren’t yet available in English, so Gaudry couldn’t investigate further.

Full Article: Moscow’s blockchain-based internet voting system uses an encryption scheme that can be easily broken - Security Boulevard.

Russia: Prominent journalist Alexey Venediktov has accused ‘Meduza’ of cheating to prove Moscow’s online voting system is hackable. He’s wrong. | Mikhail Zelenskiy/Meduza

This September’s elections for the Moscow City Duma have already gained renown for inspiring regular mass protests, but they are also remarkable for another reason: In three of the Russian capital’s districts, voters will be able to use an online system to select their new representatives. Moscow’s Information Technology Department held intrusion tests on GitHub in late July to verify the integrity of the system: Officials gave programmers several opportunities to attempt to decrypt mock voting data, and each round of data was subsequently published so that it could be compared to the results of those hacking attempts. On August 16, Meduza reported on French cryptographer Pierrick Gaudry’s successful attempt to break through the system’s encryption. To confirm that the encryption keys used in the system are too weak, we also implemented Gaudry’s program ourselves. City Hall officials responded to the successful hackings by refusing to post its private keys and data, thereby preventing outsiders from confirming that the system had indeed been hacked. Instead, Ekho Moskvy Editor-in-Chief Alexey Venediktov, who is also leading the citizens’ board responsible for the elections, accused Meduza of abusing the testing process. Here’s why he’s wrong.

Full Article: Prominent journalist Alexey Venediktov has accused ‘Meduza’ of cheating to prove Moscow's online voting system is hackable. He's wrong. — Meduza.

Switzerland: Swiss post rolls out more secure version of e-voting platform | SWI

The publicly-owned company Swiss Post, which had abandoned its electronic voting system in July over security concerns, has developed a new version. “We have already proposed a solution” to cantons, said general manager Roberto Cirillo in an interview published by the La Liberté newspaper on Friday. According to Cirillo, the company is in the process of defining the rules for testing the new system with cantons. He stressed that the new version will “contain universal verifiability”. At the beginning of July, Swiss Post abandoned its electronic voting system, which means it now cannot be used for the October federal parliamentary elections. The decision was made after subjecting the e-voting system to an intrusion test by thousands of hackers last spring. According to Swiss Post, they were unable to penetrate the electronic ballot box, but found serious errors in the source code, which had to be corrected. The cantons of Neuchâtel, Fribourg, Thurgau and Basel City had adopted this e-voting system, which only offered individual verifiability. Three of them already plan to demand compensation from Swiss Post for failure to deliver.

Full Article: Swiss post rolls out more secure version of e-voting platform - SWI swissinfo.ch.

Russia: Moscow’s blockchain voting system cracked a month before election | Catalin Cimpanu/ZDNet

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. “It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available,” Gaudry said in a report published earlier this month. “Once these are known, any encrypted data can be decrypted as quickly as they are created,” he added.

Full Article: Moscow's blockchain voting system cracked a month before election | ZDNet.

Russia: Blockchain Voting System in Moscow Municipal Elections Vulnerable to Hacking: Research Report | Trevor Holman/CryptoNewsZ

A recent research report by a French cryptographer demonstrates that a blockchain voting framework utilized in Moscow’s municipal elections is susceptible to hacking. The researcher at the French government research establishment CNRS, Pierrick Gaudry, have examined the open code of the e-voting platform dependent on Ethereum in his paper. Gaudry inferred that the encryption plan utilized by a portion of the code is “totally insecure.” The research report titled, “Breaking the encryption scheme of the Moscow internet voting system” by Pierrick Gaudry, a researcher from CNRS, French governmental scientific institution had examined the encryption plan used to verify the open code of the Moscow city government’s Ethereum-based platform for e-voting. Gaudry concluded that the encryption scheme utilized by a portion of the code is entirely insecure by clarifying –

We will show in this note that the encryption scheme used in this part of the code is completely insecure. It can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. More precisely, it is possible to compute the private keys from the public keys. Once these are known, any encrypted data can be decrypted as quickly as they are created.

Full Article: Blockchain Voting System in Moscow Municipal Elections Vulnerable to Hacking: Research Report - CryptoNewsZ.

National: Why blockchain-based voting could threaten democracy | Lucas Mearian/Computerworld

Public tests of blockchain-based mobile voting are growing.

Even as there’s been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through “wholesale fraud” or “manipulation tactics.”

The topic of election security has been in the spotlight recently after Congress held classified briefings on U.S. cyber infrastructure to identify and defend against threats to the election system, especially after Russian interference was uncovered in the 2016 Presidential election.

Thirty-two states permit various kinds of online voting – such as via email – for some subset of voters. In the 2016 general election, more 100,000 ballots were cast online, according to data collected by the U.S. Election Assistance Commission. The actual number is likely much higher, according to some experts.

One method of enabling online voting has been to use applications based on blockchain, the peer-to-peer technology that employs encryption and a write-once, append-many electronic ledger to allow private and secure registration information and ballots to be transmitted over the internet. Over the past two years, West Virginia, Denver and Utah County, Utah have all used blockchain-based mobile apps to allow military members and their families living overseas to cast absentee ballots using an iPhone.

Mike Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, said that while the state currently has no plans to expand the use of the mobile voting beyond military absentee voters, his office did “a ton of due diligence” on the technology before and after using it.

“Not only does blockchain make it secure, but [the blockchain-based mobile app] has a really unique biometric safeguard system in place as well as facial recognition and thumb prints,” Queen said via email after 2018 General Election.

Security experts disagree. The issues around online voting include server penetration attacks, client-device malware, denial-of-service (DoS) attacks and other disruptions, all associated with infecting voters’ computers with malware or infecting the computers in the elections office that handle and count ballots.

“If I were running for office and they decided to use blockchain for that election, I’d be scared,” said Jeremy Epstein, vice chairman of the Association for Computing Machinery’s U.S. Technology Policy Committee.

Epstein co-authored an election security report with Common Cause, the National Election Defense Council, and the R Street Institute, “Email and Internet Voting: The Overlooked Threat to Election Security.” In it, he criticized blockchain and internet voting as a ready target for online attacks by foreign intelligence and said transmission of ballots over the internet, including by email, fax and blockchain systems, are seriously vulnerable.

“Military voters undoubtedly face greater obstacles in casting their ballots. They deserve any help the government can give them to participate in democracy equally with all other citizens,” Epstein wrote. “However, in this threat-filled environment, online voting endangers the very democracy the U.S. military is charged with protecting.”

There are many reasons blockchain is not good for voting, Epstein said. For one, it assumes there’s no malware in the voter’s computer. It also assumes you want all the votes to be perennially public, because if someone finds a way to hack into the blockchain, everyone’s vote becomes public. And, while blockchain networks may be able to handle small absentee voter populations, the technology could not stand up to use by the general voter populace and its volumes.

Until there is a major technological breakthrough in or fundamental change to the nature of the internet, the best method for securing elections is a tried-and-true one: mailed paper ballots, according to Epstein.

While paper ballots are not tamper-proof, they are not vulnerable to the same wholesale fraud or manipulation associated with internet voting, Epstein said.

“Tampering with mailed paper ballots is a one-at-a-time attack. Infecting voters’ computers with malware or infecting the computers in the elections office that handle and count ballots are both effective methods for large-scale corruption,” Epstein said.

West Virginia, the first state to use a blockchain-based mobile voting system, was also criticized by Epstein who said the state was willing to go out on a limb “pretty much more than anyone else” and “never shared publicly how they decided these systems were secure.

“They’re taking word of the vendor,” Epstein said.

What we don’t know about internet voting

In a research paper written by computer scientists from Lawrence Livermore National Laboratory and the University of South Carolina, along with election oversight groups, internet voting startup Voatz was called out for not releasing any “detailed technical description” of its technology.

Voatz’s blockchain-based voting service was the one used West Virginia, Denver and Utah County to enable military absentee voting.

“Most of the details of the architecture and procedure are apparently confidential, though it is not clear why,” the research paper said. “The system has not gone through federal certification, or any public certification to our knowledge. The company has not disclosed its source code nor allowed its system to be examined open by third parties.”

Voatz has contracted with Palo Alto-based authentication company Jumio to perform remote voter authenticaiton. The authentication procedure requires a voter using the Voatz iPhone app to send to Jumio a photo of their driver’s license or passport photo page along with a short, live selfie video of their face. Jumio uses machine learning facial comparison software to determine whether the face on the ID matches the one in the video. If it does, the voter is authenticated.

The researchers questioned the efficacy of using a tiny driver’s license or passport photo for authentication purposes and noted those photos can be up to 10 years old. Among other problems, they also noted facial comparison systems have been discovered to have high error rates, especially for minorities.

One of the groups that contributed to the report was the non-profit Verified Voting Foundation, whose stated purpose is to preserve the democratic process with modern voting technology. Marian Schneider, president of the Verified Voting Foundation, said online voting can’t be made safe and blockchain is an unnecessary complexity.

“Current commercial systems with blockchain components are using the blockchain as an encrypted ballot box. Votes go there after they are susceptible to all of the attacks [already mentioned],” Schneider said. “If something happens, it might not be detected, and incorrect data would be in the blockchain.

“I don’t think online voting can resolve any issues because the issues it purports to resolve create other issues that are worse,” she continued. “The ability to track back to a voter’s vote makes current systems not secret so they do not preserve the right to a secret ballot.”

Voatz CEO Nimit Shawhney called some claims made in the research paper “inaccurate” and his company’s mobile voting system has undergone several independent, third-party audits, including penetration testing and source code reviews.

“These audits were additionally audited by multiple independent security auditors (including former members of the FBI’s elite cyber division). Voatz has also scheduled ongoing audits with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA),” Shawhney said via email.

Federal certification standards for mobile-focused election systems, he noted, are not available “as yet.” And he argued that revealing the company’s intellectual property  would court poaching by competitors.

“We do share the confidential details about our system with our customers and relevant parties (e.g. security auditors),” Shawhney said.

Voatz’s mobile system uses a combination of in-house and third-party solutions, such as Jumio’s, to perform remote identity proofing.

The photograph on a license or passport, Shawhney explained, is just one of the data points used to verify a remote voter’s identity. Others include a short video “selfie,” and a manual review of each image and document comparison.

“Whenever there is even a slight doubt about the veracity of a document or the selfie, the voter is prompted to provided additional information and cannot proceed with the voting process without passing all the checks,” Shawhney said.

The need is real

Blockchain andinternet-based voting platforms, however, have been viewed as one way to boost voter participation by making the process easier through mobile apps that allow both registration and ballot casting to occur from anywhere in the world. Voters in those systems pre-register and then can use their smartphone’s biometric finger print readers or facial recognition technology to sign in to cast their votes.

The number of pilots, while growing, remains relatively small – a few dozen, mainly for shareholder proxy voting and university student government elections. But state and municipal governments have been testing blockchain-based mobile voting over the past year.

In the 2018 election, 144 registered West Virginia voters from 21 counties cast ballots from 31 different countries using an app from Voatz.

New research from the University of Chicago found that allowing military members overseas to vote using a mobile device increased turnout by 3% to 5% among those eligible to use the system in the 2018 federal election in West Virginia.

Anthony Fowler, lead study author and associate professor at the University of Chicago, said that being able to cast ballots online using only smartphones or other mobile devices can dramatically reduce the costs of voting, particularly for under-represented groups, and has significant effects on the size and composition of the voting population.

“We are likely to see more trials soon, so this is a good time to study the consequences of this reform,” Fowler wrote. “New survey data shows that many Americans are understandably wary of online voting.”

A third-party audit conducted by the National Cybersecurity Center (NCC) and Denver Election Divisions showed that votes cast over the blockchain application were recorded and tabulated accurately. The final numbers showed that voter turnout doubled from the 2015 election and a post-election survey from the Denver Elections Division found that 100% of respondents said they favored secure mobile voting over all methods available to them.

“We are very excited about the promise of this technology,” Jocelyn Bucaro, Denver’s Deputy Director of Elections, said in a statement. “Our goal was to offer a more convenient and secure method for military and overseas citizen voters to cast their ballots, and this pilot proved to be successful. More voters participated in this cycle, in part thanks to this convenient method, and those voters who voted using the application prefer to vote by this method in all elections in the future.”

Jonathan Johnson, an Overstock.com board member and the president of Medici Ventures, Overstock’s subsidiary responsible for advancing blockchain technology, believes remote voting via electronic devices will be more widely adopted.

“After a successful pilot program in West Virginia of the Voatz digital remote voting application… more states will look to re-enfranchise their overseas voters,” Johnson said in an earlier interview. “Other states may use it to make accommodations for disabled voters. But, as people get comfortable with it, there will be an outcry for it from the voting citizenry. If I can vote overseas using it, then why can’t I use it when I’m here [in country]?”

Medici Ventures-backed Voatz is among a small community of mobile voting platforms worldwide using blockchain as the basis for a distributed voting system. Other companies include Barcelona-based Scytl, Australia-based SecureVote, London-based Smartmatic Corp. and Cleveland-based Votem Corp. Though Votem reportedly shuttered its operations after layoffs, Votem CEO Peter Martin said via email the company continues to support its customers “and in fact have signed up some new customers.”

Even so, several European countries abandoned internet voting after seeing that the increases in turnout were not as large as expected, the Univeristy of Chicago study pointed out; those lower-than-expected increases, however, could have been affected by already waning voter turnout in those European nations.

Estonia a model for online voting

Estonia, however, has embraced internet-based voting and created the world’s first national online voting system. In 2005, the Baltic nation of 1.3 million people introduced online voting via Smartmatic Corp.’s technology and used it for local government elections; two years later, Estonia used internet voting for parliamentary elections in which more than 30,000 people voted online.

The Estonian internet voting system has now been used in eight major elections over 10 years. Today, online voting participation in the Balkan state has reached 44.4% of the population.

The Parliamentary elections held earlier this year saw an increase of 40% in online participation over the same elections in 2015. Online voting, or i-voting as it’s called in Estonia, takes place in advance of election day and runs until the fourth day before the election. Citizens download a voting application via a national election site, then register through a national ID card or mobile PIN assigned through a registration process.

Estonian citizens and permanent residents can request two forms of digital identification: digi-ID and mobiil-ID. Digi-ID is a card similar to the national ID card that is designed only for online use. The digi-ID card does not have a printed photo of the citizen, and contains less personal data then the national ID card, while still providing authentication and digital signature functions. Mobiil-ID provides similar functionality to digi-ID, but is built into a mobile phone SIM card rather than a chip-and-PIN card. This enables the citizen to perform digital authentication and signing using their mobile phone with no extra hardware.

Smartmatic’s online voting system was also used in the 2016 Utah Republican Party Caucus and voters from more 45 countries, including places as far away as French Polynesia, South Africa and Japan, cast ballots online. Eighty-nine percent of 24,486 registered Utah Republican Party members registered to vote online and participated in the caucus process, according to Smartmatic.

Participation was strongest among voters 56 to 65 years old. After making their selections, online voting participants were asked to provide feedback on their experience: 94% described the online voting experience as good, 97% would consider voting online in future elections and 82% wanted to see online voting implemented nationwide

Smartmatic’s system, however, only uses blockchain to report and tally votes, not as an open network enabling voting itself. The Smartmatic app is downloaded to the voter’s PC and allows them to communicate with the vote forwarding server and cast a ballot. The client is available for Windows, Mac OS and Linux.

Tarvi Martens, former head of Internet Voting at the State Electoral Office in Estonia, said blockchain has nothing to do with i-voting itself.

It’s “about preserving data integrity using distributed model. In [the] i-voting case, the only data is (encrypted) votes. Do we want to distribute them? Hell, no!” Martens said, referring to the transmission of votes via blockchain.

Security issues surrounding online voting, such as server penetration attacks, client-device malware, and DoS attacks, “are all there,” Martens said, but DoS and penetration attacks do not differ from attacks to other online services.

Estonia’s i-voting system features end-to-end verifiability, meaning a voter can check whether their vote arrived at the electronic ballot box (an “e-urn”), “and thus whether his computer behaved well [and] was not infected,” Martens said.

“Auditors/observers can check using independent software whether [the] counting process from e-urn to election results was performed correctly,” Martens said.

West Virginia still the only one to use blockchain in a national election

West Virginia remains the first state and only state to use a blockchain-based mobile voting application for a general election, which was made available only to military members and their dependents living overseas.

This summer, Utah County became the latest government entity to pilot the Voatz mobile voting app for military absentee voters casting ballots in a municipal primary election. Denver also recently allowed overseas voters to use the same platform to participate in its municipal elections.

The Voatz application uses a permissioned blockchain based on the HyperLedger framework first created by IBM and now supported by the Linux Foundation. In the election, verified validating nodes (servers) are used, split evenly between AWS and Microsoft Azure, each of which are geographically distributed, according to Voatz. Military personnel and their families who used the Voatz app only need an Apple or Android smartphone and a state or federal ID.

Voatz uses multi-factor authentication, including iPhone fingerprint and facial recognition, to allow pre-registered voters to submit ballots; all personally identifiable information and voting results are encrypted on the blockchain ledger.

The Voatz app has been used in non-public election voting such as state political party conventions, caucus voting, labor unions, nonprofits and student government elections at universities, according to Voatz CEO Sawhney.

“In the near future, it is anticipated that pilots could be expanded to citizens with disabilities, and/or other absentee voters in a graduated, step-by-step manner,” Sawhney said via email.

The Voatz platform goes to significant lengths to prevent a vote from being submitted if a device is compromised (e.g. rooted or jailbroken) or has malware on it, according to Sawhney. Only certain classes of smartphones equipped with the latest security features are allowed to be used. Voatz conducts frequent security audits, including penetration and source code level, and also was the first elections company to offer a public bug bounty program via HackerOne starting in 2018.

“In line with our commitment to privacy and security, the voter photo-IDs and selfies are deleted soon after verification and are not used for any other purpose outside of voter identity verification,” Sawhney said. “Any biometric information never leaves the secure storage on the mobile devices and is not stored on remote servers.”

But Jacob Hoffman-Andrews, a senior staff technologist with the Electronic Frontier Foundation, said election security experts are “near-unanimous” in their opinion that online voting is too risky.

“Blockchain doesn’t change that, because it doesn’t address the underlying issues with online voting,” Hoffman-Andrews said.

For instance, Hoffman-Andrews explained, if the device you use to vote is compromised by malware, as many laptops and smartphones are, that malware could tamper with a vote before it ever reaches the servers used to count it.

“Internet voting also poses a risk of disruption via denial-of-service attacks, and phishing/misinformation campaigns that lead people to send their vote somewhere where it won’t be tabulated,” Hoffman-Andrews said.

The gold standard in election security is “software independence,” he added.

A voting system is software-independent if an undetected change or error in its code cannot cause an undetectable change or error in an election outcome.

Non-internet elections can and do achieve software independence while still using software to improve the election process, but “it is probably impossible to achieve software independence for internet voting,” Hoffman-Andrews said.

Full Article: Why blockchain-based voting could threaten democracy | Computerworld.

Full Article: Why blockchain-based voting could threaten democracy | Computerworld.