National: Smartphone Voting Could Expand Accessibility, But Election Experts Raise Security Concerns | Abigail Abrams/Time
ome voters with disabilities will be able to cast their ballots on smart phones using blockchain technology for the first time in a U.S. election on Tuesday. But while election officials and mobile voting advocates say the technology has the potential to increase access to the ballot box, election technology experts are raising serious security concerns about the idea. The mobile voting system, a collaboration between Boston-based tech company Voatz, nonprofit Tusk Philanthropies and the National Cybersecurity Center, has previously been used for some military and overseas voters during test pilots in West Virginia, Denver and Utah County, Utah. Now, Utah County is expanding its program to include voters with disabilities in its municipal general election as well. Two Oregon counties, Jackson and Umatilla, will also pilot the system for military and overseas voters on Tuesday. The idea, according to Bradley Tusk, the startup consultant and philanthropist who is funding the pilots, is to increase voter turnout. “We can’t take on every interest group in Washington around the country and beat them, but I think what we can do is let the genie out of the bottle,” he says.National: New federal guidelines could ban internet in voting machines | Eric Geller/Politico
A long-awaited update to federal voting technology standards could ban voting machines from connecting to the internet or using any wireless technology such as Wi-Fi or Bluetooth. A new draft of version 2.0 of the Voluntary Voting System Guidelines says that voting machines and ballot scanners “must not be capable of establishing wireless connections,” “establishing a connection to an external network” or “connecting to any device that is capable of establishing a connection to an external network.” If they survive a review process, the new rules would represent a landmark development in voting technology oversight, eliminating one of cybersecurity experts’ top concerns about voting machines by plugging holes that skilled hackers could exploit to tamper with the democratic process. The wireless and internet bans are included in the latest draft of the “system integrity” section of the VVSG update. A working group focused on the VVSG’s cybersecurity elements reviewed the document during an Oct. 29 teleconference.UAE: E-voting technology adopted by UAE a pioneering experiment in the region | Samir Salama/Gulf News
By adopting an election protection system, the National Election Committee reiterates its commitment to hold an election that is characterised by the highest degree of fairness and transparency by implementing the best internationally recognised practices used in the world’s most successful parliaments, said Dr Anwar Mohammad Gargash, Minister of State for Foreign Affairs, Minister of State for Federal National Council Affairs and Chairman of the National Election Committee. Dr Gargash said on the eve of the early voting that starts today at nine polling stations across the country, the highly accurate e-voting technology adopted by the NEC is a pioneering experiment in the region, which the UAE introduced during the first Federal National Council Elections in 2006.Utah: Mobile voting system used in Utah County subject of attempted 2018 West Virginia breach | Graham Dudley/KSL
The FBI is investigating an attempted intrusion of the Voatz mobile voting system during West Virginia’s 2018 midterm elections, officials announced last week, throwing a spotlight onto an experimental app that Utah County used for the first time in this year’s primary elections. Mike Stuart, U.S. attorney for the Southern District of West Virginia, said in a statement that there was “no intrusion and the integrity of votes and the election system was not compromised.” Stuart also said that the FBI investigation into the attempt is ongoing and that it’s still not determined whether any federal laws were violated. Voatz is a new technology allowing overseas voters, like missionaries and U.S. military personnel, an alternative to email or traditional mail-in voting, which have long sparked concerns over security and anonymity risks. It’s an app that uses blockchain technology, a sort of public digital ledger, to encrypt and secure votes.West Virginia: The FBI is investigating West Virginia’s blockchain-based midterm elections | Matthew De Silva/Quartz
During the 2018 midterm elections, somebody tried to hack Voatz, the blockchain-based voting system used by West Virginia. The attack was unsuccessful, but is under investigation by the FBI, said Andrew Warner, West Virginia’s secretary of state in an Oct. 1 press conference. “In last year’s election, we detected activity that may have been an attempt to penetrate West Virginia’s mobile voting process,” said Warner. “No penetration occurred and the security protocols to protect our election process worked as designed. The IP addresses from which the attempts were made have been turned over to the FBI for investigation. The investigation will determine if crimes were committed.” The hacking attempt may have stemmed from an election security class at the University of Michigan, CNN reported Friday (Oct. 4). Last November, 144 West Virginian voters—including active members of the US military serving overseas—used Boston-based Voatz, a blockchain-enabled smartphone application, to cast their ballots for the Senate and House of Representatives as well as for state and local offices. That’s a small number, but could be consequential, especially in close races. Four seats in West Virginia’s House of Delegates were decided by less than 150 votes.West Virginia: Alleged mobile voting app hack linked to University of Michigan | Benjamin Freed/StateScoop
Federal investigators looking into an alleged hacking attempt against the mobile app that West Virginia officials used to collect ballots from overseas voters in the 2018 election are determining if the incident was the result of computer-science students at the University of Michigan testing for vulnerabilities. CNN reported Friday that the FBI is investigating “a person or people” who attempted to access the app — Voatz — as part of a cybersecurity course at University of Michigan, which is one of a handful of universities with a curriculum focused on election security. Mike Stuart, the U.S. attorney for West Virginia, revealed the investigation last Tuesday, saying that during the 2018 election cycle his office was alerted by West Virginia Secretary of State Mac Warner that there was an “attempted intrusion by an outside party” to access the Voatz app. According to state officials and the app’s developers, Voatz is designed only to grant ballot access to qualified voters who go through multiple layers of biometric identification, including facial-recognition and fingerprint scanning.West Virginia: Hackers try to access West Virginia’s mobile voting app | GCN
Someone tried to hack into West Virginia's blockchain-enabled mobile voting system during the 2018 election cycle. The attack happened during the pilot rollout of West Virginia’s mobile voting pilot that uses a smartphone application developed by Boston-based Voatz to enable eligible overseas voters to receive and return their ballot securely using a mobile device. The app lets military and overseas voters who qualify under the Uniformed and Overseas Citizens Act verify their identities by providing biometric proof in the form of a photo of their driver’s license, state ID or passport that is matched to a selfie. Once voters' identities are confirmed, they receive a mobile ballot based on the one that they would receive in their local precinct. A confirmation message is sent to the voter’s smartphone when the vote is uploaded to the blockchain's series of secure, redundant, geographically dispersed servers , which ensures the votes cannot be tampered with once they've been recorded.West Virginia: Hacking attempt reported against West Virginia’s mobile voting app | Benjamin Freed/StateScoop
The FBI is investigating an alleged hacking attempt against the mobile app that West Virginia officials used to collect ballots from some overseas voters during the 2018 election cycle, the Justice Department announced Tuesday. Mike Stuart, the U.S. attorney for West Virginia, said that during last year’s election cycle, his office received a report from West Virginia Secretary of State Mac Warner pertaining to an “attempted intrusion by an outside party” to access the app, Voatz, which Warner’s office has heralded as the future of voting for expat U.S. citizens, especially deployed members of the military. The attempt, Stuart continued, appeared to be unsuccessful, with no actual intrusion or effect on the 144 ballots that were cast in last year’s general election. “No penetration occurred and the security protocols to protect our election process worked as designed,” Warner said at a press conference Tuesday in Charleston, the state capital. Still, Warner said, the attempted intrusion was referred to the FBI for investigation as a “deterrent” against attempts by outside actors to interfere with the state’s election process.West Virginia: Attempted hack of military app investigated | Steve Allen Adams/The Intermountain
Federal and state officials announced this week an FBI investigation into an attempted hack on the new app for overseas deployed military voters and their families and warned others not to make the attempt. Mike Stuart, U.S. attorney for the Southern District of West Virginia, and Secretary of State Mac Warner held a press conference at the Robert C. Byrd Courthouse in downtown Charleston. According to Warner, there was an attempt to hack the Secure Military Voting Application during the 2018 elections. The mobile app allows deployed military and their families to download an app and vote for candidates after they apply to use the app and are approved. “In last year’s election, we detected activity that may have been an attempt to penetrate West Virginia’s mobile voting process,” Warner said. “No penetration occurred and the security protocols to protect our election process worked as designed.” During the mobile voting process, the virtual ballot is encrypted and secured utilizing blockchain technology, then sent to the voter’s county clerk in West Virginia where their ballot is printed and tabulated. West Virginia was the first state to use mobile voting, first in a pilot project during the 2018 primary election, then a full rollout for any county that wanted to participate in the 2018 general election.West Virginia: FBI called in to investigate 2018 Mountain State mobile voting system hacking | Shaun Nichols/The Register
The state of West Virginia says someone attempted to hack its citizens' votes during the 2018 mid-term elections. A statement issued this week by US Attorney Mike Stuart of the Southern District of West Virginia revealed that the FBI has been called in and is actively investigating at least one attempt to tamper with election results. "My office instituted an investigation to determine the facts and whether any federal laws were violated. The FBI has led that investigation," Stuart said. "That investigation is currently ongoing and no legal conclusions whatsoever have been made regarding the conduct of the activity or whether any federal laws were violated." According to the US attorney, the unknown hacker, only referred to as an 'outside party' tried (and failed) to get access to the mobile voting system the state used for military service members stationed overseas.Canada: Online voting in Northwest Territories election questioned as recounts set to take place | Hilary Bird/CBC
With two recounts set to take place in the next 10 days, one candidate in Tuesday's Northwest Territories election says he has some concerns with how online votes will be recounted. Under the Elections and Plebiscite Act of the Northwest Territories, races that won with a margin of less than two per cent must have judicial recounts within 10 days of the official results being released. That means ballots cast in the Frame Lake and Yellowknife North ridings will all need to be recounted by a judge. Rylund Johnson won in Yellowknife North by just five votes over incumbent Cory Vanthuyne. Johnson got 501 votes; Vanthuyne received 496. In Yellowknife's Frame Lake riding, incumbent Kevin O'Reilly won by a slim margin with 357 votes. The riding's only other candidate, former minister Dave Ramsay, received 346 votes. Ramsay told CBC News Wednesday that he has already seen discrepancies between unofficial numbers reported by Elections NWT Tuesday evening and numbers reported Wednesday morning after returning officers double-checked the polls.Mexico: Mexicans living abroad could cast their vote online for the first time in 2021 | Alexandra Mendoza/The San Diego Union-Tribune
Mexicans living abroad could cast their vote online as soon as the 2021 midterm elections. For almost 15 years, voters wanting to participate in Mexican elections from outside the country voted by mail. The new process of voting online will have to go through several tests to make sure it is error free, according to Enrique Andrade, a counselor with Mexico’s National Electoral Institute (INE). “It’s not something simple,” he said during a recent visit to San Diego. “It’s going to depend a lot on the trust in the system”. In the 2018 elections, about 182,000 Mexicans registered to vote from abroad and 54 percent cast their ballots. In 2012, almost 60,000 Mexicans registered to vote, with 69 percent participating in the election. Last year was the third time that Mexicans were allowed to vote from abroad, but the first one in which they could apply for the credential to vote in the consulate.West Virginia: FBI investigating attempted breach of Voatz mobile voting app | Mark Albert/WTAE
One or more people tried to penetrate West Virginia’s mobile voting system during the Midterm election, the Hearst Television National Investigative Unit has confirmed, leading to new worries about the security of certain election platforms ahead of next year’s general election. The Mountain State was the first to use mobile voting for military and overseas voters. Tuesday’s announcement in the state capital of Charleston by state and federal authorities of the attempted breach came on the first day of National Cybersecurity Awareness Month. The U.S. Attorney for the Southern District of West Virginia, Mike Stuart, says the case has now been turned over to the Federal Bureau of Investigation for investigation. Sources tell the National Investigative Unit the attempted intrusion of the mobile voting app is believed to have come from inside the U.S., not from overseas. At a news conference Tuesday afternoon at the federal courthouse in Charleston, Stuart delivered a warning to anyone who may attempt to breach an election system. “Don't do it. Don't even think about it. We're serious about maintaining the integrity of our election system and we will prosecute those folks who violate federal law,” Stuart said.National: Blockchain e-voting: Backed by US candidate, hacked in Moscow | Sarah Wray/SmartCitiesWorld
The debate over blockchain-based political voting re-emerged recently as Democratic US presidential hopeful Andrew Yang backs the technology to boost voter numbers and security, while a French researcher has hacked into the blockchain-based voting system which officials plan to use next month for the 2019 Moscow City Duma election. On his campaign website, Yang states that voting should be available via mobile devices with verification through blockchain. He argues that modernising voting with decentralised ledger technology could increase security, reduce inconsistent processes between states and restore confidence in democracy. Philip Boucher, a European Policy Research Service (EPRS) policy analyst, explains the theory behind blockchain voting: “In elections, we usually have a central authority that records, checks and counts all of the votes. With blockchain, the process is decentralised so everyone can hold a copy of the full voting record on their own devices. The data is encrypted to protect the identity of individual voters. Illegitimate votes cannot be added and the historical record cannot be changed because everyone holds a copy and can check that all of the votes comply with the rules and are counted properly.” Some have even suggested that in future, blockchain votes could be encoded into ‘smart contracts’ so that the results automatically take effect “like a self-implementing manifesto”. Several countries and local authorities have explored or experimented with the idea of digital voting.Estonia: E-voting workgroup recommends more audits and observers | ERR
Experts put forward suggestions and recommendations at the second meeting of the e-election working group on Wednesday, commissioned by minister Kert Kingo (EKRE). Over the past month, committee members have submitted 30 suggestions for improvements. At the second meeting suggested proposals were put forward in three areas. Head of the working group Raul Rikk said that firstly more resources should be made available so that several independent auditors can check the processes of e-voting. He said this would increase their credibility in Estonia and around the world. The group is also proposing that the number of people involved in conducting and supervising elections should increase and to raise the number of independent observers at election counts. Rikk said this could be done, for example, by making it obligatory for a representative from each political party to attend the election counts. Experts could also be invited to follow the process or IT students could be encouraged to write reports. These changes would help to increase the number of people in society who have received training in the electoral process and understand the structure of the system, Rikk said.Italy: The Five Star digital voting platform that could threaten a government deal in Italy | Franck Iovene/AFP
If Italy's political parties can agree on a government deal, it would still need to clear a final hurdle: the online voting platform of the Five Star Movement (M5S), which has long championed so-called 'digital democracy'. The platform, named after the 18th-century French philosopher Jean-Jacques Rousseau, is supposed not only to empower ordinary citizens but guarantee transparency -- but it has been slammed as secretive and vulnerable to cyber attacks. Launched in 2016, it currently has some 100,000 members, M5S chief Luigi Di Maio said in July. But critics have lamented a lack of official documentation or certification from a third party to attest that this figure is correct. The M5S's blog says the number of people registered on "Rousseau" rose from 135,000 in October 2016 to nearly 150,000 in August 2017, before dropping to 100,000 a year later. But political analysts say it cannot be seen as representative of M5S supporters, as the membership numbers are a drop in the ocean compared to the 10.7 million Italians who voted for M5S in the 2018 general election.Australia: Where’s the proof internet voting is secure? | Vanessa Teague/Pursuit
Victoria’s Electoral Commissioner, Warwick Gately AM, says that Victoria should legislate to allow Internet voting because “there is an inevitability about remote electronic voting over the internet.” According to Mr Gately, the NSW iVote system has, “proven the feasibility of casting a secret vote safely and securely over the internet”. The key word here is “proven”. Anyone can claim that their system is secure and protects people’s privacy, but how would we know? Elections have special requirements. Ballot privacy is mandated by law. And elections must demonstrate that the result accurately reflects the choice of the people. So, what has iVote proven? In 2015, our team found that the iVote site was vulnerable to an internet-based attacker who could read and manipulate votes. The attack wouldn’t have raised any security warnings at either the voter’s or the NSW Electoral Commission (NSWEC) end, but it should have been apparent from iVote’s telephone-based verification. When the NSWEC claimed that “some 1.7 per cent of electors who voted using iVote® also used the verification service and none of them identified any anomalies with their vote,” we took that as reasonable evidence that the security problem hadn’t been exploited. But it wasn’t true.Russia: Moscow’s blockchain-based internet voting system uses an encryption scheme that can be easily broken | Sugandha Lahoti/Security Boulevard
Russia is looking forward to its September 2019 elections for the representatives at the Parliament of the city (the Moscow City Douma). For the first time ever, Russia will use Internet voting in its elections. The internet-based system will use blockchain developed in-house by the Moscow Department of Information Technology. Since the news broke out, security experts have been quite skeptical about the overall applicability of blockchain to elections. Recently, a French security researcher Pierrick Gaudry has found a critical vulnerability in the encryption scheme used in the coding of the voting system. The scheme used was the ElGamal encryption, which is an asymmetric key encryption algorithm for public-key cryptography. Gaudry revealed that it can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. The main problem, Gaudry says is in the choice of three cyclic groups of generators. These generators are multiplicative groups of finite fields of prime orders each of them being Sophie Germain primes. These prime fields are all less than 256-bit long and the 256×3 private key length is too little to guarantee strong security. Discrete logarithms in such a small setting can be computed in a matter of minutes, thus revealing the secret keys, and subsequently easily decrypting the encrypted data. Gaudry also showed that the implemented version of ElGamal worked in groups of even order, which means that it leaked a bit of the message. What an attacker can do with these encryption keys is currently unknown, since the voting system’s protocols weren’t yet available in English, so Gaudry couldn’t investigate further.Russia: Prominent journalist Alexey Venediktov has accused ‘Meduza’ of cheating to prove Moscow’s online voting system is hackable. He’s wrong. | Mikhail Zelenskiy/Meduza
This September’s elections for the Moscow City Duma have already gained renown for inspiring regular mass protests, but they are also remarkable for another reason: In three of the Russian capital’s districts, voters will be able to use an online system to select their new representatives. Moscow’s Information Technology Department held intrusion tests on GitHub in late July to verify the integrity of the system: Officials gave programmers several opportunities to attempt to decrypt mock voting data, and each round of data was subsequently published so that it could be compared to the results of those hacking attempts. On August 16, Meduza reported on French cryptographer Pierrick Gaudry’s successful attempt to break through the system’s encryption. To confirm that the encryption keys used in the system are too weak, we also implemented Gaudry’s program ourselves. City Hall officials responded to the successful hackings by refusing to post its private keys and data, thereby preventing outsiders from confirming that the system had indeed been hacked. Instead, Ekho Moskvy Editor-in-Chief Alexey Venediktov, who is also leading the citizens’ board responsible for the elections, accused Meduza of abusing the testing process. Here’s why he’s wrong.Switzerland: Swiss post rolls out more secure version of e-voting platform | SWI
The publicly-owned company Swiss Post, which had abandoned its electronic voting system in July over security concerns, has developed a new version. "We have already proposed a solution" to cantons, said general manager Roberto Cirillo in an interview published by the La Liberté newspaper on Friday. According to Cirillo, the company is in the process of defining the rules for testing the new system with cantons. He stressed that the new version will "contain universal verifiability". At the beginning of July, Swiss Post abandoned its electronic voting system, which means it now cannot be used for the October federal parliamentary elections. The decision was made after subjecting the e-voting system to an intrusion test by thousands of hackers last spring. According to Swiss Post, they were unable to penetrate the electronic ballot box, but found serious errors in the source code, which had to be corrected. The cantons of Neuchâtel, Fribourg, Thurgau and Basel City had adopted this e-voting system, which only offered individual verifiability. Three of them already plan to demand compensation from Swiss Post for failure to deliver.Russia: Moscow’s blockchain voting system cracked a month before election | Catalin Cimpanu/ZDNet
A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. "It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available," Gaudry said in a report published earlier this month. "Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created," he added.Russia: Blockchain Voting System in Moscow Municipal Elections Vulnerable to Hacking: Research Report | Trevor Holman/CryptoNewsZ
A recent research report by a French cryptographer demonstrates that a blockchain voting framework utilized in Moscow’s municipal elections is susceptible to hacking. The researcher at the French government research establishment CNRS, Pierrick Gaudry, have examined the open code of the e-voting platform dependent on Ethereum in his paper. Gaudry inferred that the encryption plan utilized by a portion of the code is “totally insecure.” The research report titled, “Breaking the encryption scheme of the Moscow internet voting system” by Pierrick Gaudry, a researcher from CNRS, French governmental scientific institution had examined the encryption plan used to verify the open code of the Moscow city government’s Ethereum-based platform for e-voting. Gaudry concluded that the encryption scheme utilized by a portion of the code is entirely insecure by clarifying – We will show in this note that the encryption scheme used in this part of the code is completely insecure. It can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. More precisely, it is possible to compute the private keys from the public keys. Once these are known, any encrypted data can be decrypted as quickly as they are created.National: Why blockchain-based voting could threaten democracy | Lucas Mearian/Computerworld
Public tests of blockchain-based mobile voting are growing.
Even as there’s been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through “wholesale fraud” or “manipulation tactics.”
The topic of election security has been in the spotlight recently after Congress held classified briefings on U.S. cyber infrastructure to identify and defend against threats to the election system, especially after Russian interference was uncovered in the 2016 Presidential election.
Thirty-two states permit various kinds of online voting – such as via email – for some subset of voters. In the 2016 general election, more 100,000 ballots were cast online, according to data collected by the U.S. Election Assistance Commission. The actual number is likely much higher, according to some experts.
One method of enabling online voting has been to use applications based on blockchain, the peer-to-peer technology that employs encryption and a write-once, append-many electronic ledger to allow private and secure registration information and ballots to be transmitted over the internet. Over the past two years, West Virginia, Denver and Utah County, Utah have all used blockchain-based mobile apps to allow military members and their families living overseas to cast absentee ballots using an iPhone.
Mike Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, said that while the state currently has no plans to expand the use of the mobile voting beyond military absentee voters, his office did “a ton of due diligence” on the technology before and after using it.
“Not only does blockchain make it secure, but [the blockchain-based mobile app] has a really unique biometric safeguard system in place as well as facial recognition and thumb prints,” Queen said via email after 2018 General Election.
Security experts disagree. The issues around online voting include server penetration attacks, client-device malware, denial-of-service (DoS) attacks and other disruptions, all associated with infecting voters’ computers with malware or infecting the computers in the elections office that handle and count ballots.
“If I were running for office and they decided to use blockchain for that election, I’d be scared,” said Jeremy Epstein, vice chairman of the Association for Computing Machinery’s U.S. Technology Policy Committee.
Epstein co-authored an election security report with Common Cause, the National Election Defense Council, and the R Street Institute, “Email and Internet Voting: The Overlooked Threat to Election Security.” In it, he criticized blockchain and internet voting as a ready target for online attacks by foreign intelligence and said transmission of ballots over the internet, including by email, fax and blockchain systems, are seriously vulnerable.
“Military voters undoubtedly face greater obstacles in casting their ballots. They deserve any help the government can give them to participate in democracy equally with all other citizens,” Epstein wrote. “However, in this threat-filled environment, online voting endangers the very democracy the U.S. military is charged with protecting.”
There are many reasons blockchain is not good for voting, Epstein said. For one, it assumes there’s no malware in the voter’s computer.