National: Is Secure Online Voting Too Good To Be True? (For Voatz, It Might Be) | Chitra Ragavan/Swaay

When Amelia Powers Gardner won political office as county clerk and auditor in Utah County, Utah, in January 2019, she was determined to fix what she viewed as the county’s archaic and dysfunctional voting mechanisms. Around that same time, nearly 800 miles northwest, Christine Walker, the long-time county clerk in Jackson County, Oregon, had been deploying various hardware and software products to revamp her county’s voting technology and processes with little success. She was ready for something new.  Walker and Gardner don’t know each other. But when they each learned about a small Boston-based tech startup, called Voatz, that had built the first mobile voting app and platform secured by blockchain technology, they were immediately intrigued. And upon discovering that West Virginia and Colorado were already testing the app for absentee military voters overseas, the two election leaders were even more eager to put their counties on the map as trailblazers in online voting.  “I like to be the person that’s kind of setting the pace, not just following along,” says Walker, who prides herself on her tech-savvy leadership. Gardner, a former Caterpillar executive, automotive technologist, and business efficiency expert, is similarly technologically inclined. Noble intentions aside, Walker and Gardner’s vote of confidence in Voatz may be misplaced, say members of the cybersecurity community who have repeatedly warned the U.S. government that the app is vulnerable to hacking. These experts, along with several members of Congress, have criticized Voatz for its failures in transparency, lack of accountability, and refusal to release its source code so that it can be better tested for security flaws.

Full Article: Is Secure Online Voting Too Good To Be True? (For This Company, It Might Be)

Philippines: Biometric election solution providers pitch on remote online voting systems | Heart Castañeda/Manila News

Biometric technology providers Voatz and Smartmatic will pitch their remote online voting systems as two of four companies being considered by the Philippines government in a four-day set of consultations, the Philippine Canadian Inquirer reports. Meetings between the Office for Overseas Voting (OFOV), the Commission on Elections (Comelec), and the four companies, which also include Dominion Voting Systems and Indra, are expected to wrap up this week. “The purpose of the consultation is to be able to gather enough information on online voting that can be presented to Congress for its consideration,” Comelec spokesperson James Jimenez said, according to the Inquirer. “If and when such a system is eventually put into action depends on Congress.” Jimenez also said the solutions may not be in place for the upcoming elections in 2022. The Philippines began automating its election system in 2010, and utilized vote counting machines in 2019.

Full Article: Biometric election solution providers pitch Philippines on remote online voting systems – Manila News

Utah: Cast your next vote by phone? Lawmakers approve pilot proposal | Art Raymond/Deseret News

Even as the tumult surrounding 2020 election processes and results continues, Utah lawmakers are looking ahead to potential new ways to help residents easily and securely engage their civic voting duties. An interim legislative committee this week advanced a proposal from Rep. Mike Winder aiming to expand opportunities for Utah cities interested in testing new, internet-based systems that allow voters to cast their ballots via smartphone. … Committee member Rep. Suzanne Harrison, D-Draper, said she was concerned about public reports from cybersecurity experts critical of internet-based voting systems and, in particular, the Voatz system that’s been in use by Utah County. “There have been a host of articles highlighting the concerns with electronic voting and even specific critiques of the Voatz app that Utah County has been using,” Harrison said. “MIT came out with a research paper … also Homeland Security itself had concerns. There’s too many cybertechnology experts that say it’s impossible to secure these devices and these apps and that the technology is just not where it needs to be to expand these projects.”

Full Article: Cast your next vote by phone? Utah lawmakers approve pilot proposal – Deseret News

National: A ruling against expanding online voting is a win for cybersecurity advocates | Joseph Marks/The Washington Post

A federal judge yesterd
ay dismissed a lawsuit that sought to dramatically expand online voting by military service members and other citizens living overseas, halting an effort that critics say could have made the election far more vulnerable to hacking.The overseas voters who brought the suit hail from seven states and said they fear restrictions and slowdowns between the U.S. Postal Service and the postal services where they live raise dangers their ballots won’t arrive in time to be counted. They wanted an option of submitting the ballots as PDF attachments to emails or using a secure fax system managed by the Defense Department. Similar voting methods are available to overseas voters from 30 other states. The ruling underscores how efforts to make voting easier during the pandemic can sometimes clash with efforts to protect the election against foreign interference.

National: Why Can’t People Vote Online? Election Security Analysts Weigh In | Chris Iovenko/Observer

The coronavirus pandemic has radically changed the way we live; it is also upending the way we vote. Traditional polling stations, which often have long lines and use crowded indoor spaces and shared voting equipment, pose substantial risks for spreading the disease. Unless there is a massive switch to remote voting, the predicted second wave of COVID-19 this fall could be catastrophically escalated by large in-person turnouts at polling stations. And in turn, efforts to prevent increased infections can be used as an excuse for targeted, discriminatory curtailment of in-person voting, with the outrageous events in Georgia’s primary election on Tuesday a clear example of the potential derailment of democracy. Currently, the most common way to vote remotely is by mail. It’s a proven, convenient, and safe technique; in the 2016 election,  1 in 4 Americans voted by mail. However, President Donald Trump (who himself votes by mail) and his allies have falsely attacked vote-by-mail as wide-open to fraud and an attempt by Democrats to steal the election. The Republican National Committee has launched a lawsuit in California contesting expansion of vote-by-mail and in states controlled by Republicans obstacles to voting by mail will likely be greater than those faced by voters in other states.

Utah: Utah County Clerk Received Campaign Donation from Investor In Voting App The County Now Uses | Sonja Hutson/KUER

Utah County Clerk/Auditor Amelia Powers Gardner received a $1,500 campaign donation from an investor in the blockchain voting app Voatz in 2018, roughly 16 months before the county first used the app in its elections. Utah County started using Voatz for a primary municipal election in August 2019, so military and overseas voters could cast their ballots through an app. The county expanded the pilot program in November 2019 to allow voters with disabilities to use it. In her role, Powers Gardner supervises the county’s elections. When she first ran for the position in 2018, Powers received a campaign contribution from Overstock.com CEO Jonathan Johnson in early April. Johnson is also the president of Medici Ventures, which is a major investor in Voatz. In January 2018, the app announced it had raised $2.2 million in a round of seed funding led by Medici Ventures.

Philippines: Comelec to push test run of mobile voting app | Leslie Ann Aquino/Manila Bulletin

The Commission on Elections (Comelec) is pushing through with the plan to test run the mobile voting application for possible use in future poll exercises. Poll Commissioner Rowena Guanzon said they will hold the test run as soon as it is safe to conduct it. “We have to choose countries where there are very low risk of contamination,” she said. “We have to find ways to test it without personal contact with the providers,” she added. Guanzon, Comelec – Office for Overseas Voting (OFOV) commissioner-in-charge, said with the COVID-19 pandemic, there is more reason to push for mobile app voting by Filipinos overseas especially those in the United States and seafarers. The Comelec en banc had earlier approved the test run of the mobile voting application overseas for possible use in the May, 2022 polls.

West Virginia: Online Voting Has Worked So Far. That Doesn’t Mean It’s Safe | Lily Hay Newman/WIRED

West Virginia state delegate Eric Porterfield is blind and usually votes at a polling place using an accessible voting machine. He would need assistance to fill out a regular mail-in paper ballot, reducing his ability to keep his votes private. But thanks to a state law passed in January to address accessible remote voting, Porterfield has a new alternative for his state’s June 9 primary. For the first time, he plans to submit his absentee ballot online. “The gold standard for you or me or anyone is to be able to fulfill our constitutional right to vote by private ballot,” Porterfield says. The Covid-19 pandemic has made internet voting options more tempting than ever for election officials across the US. But election integrity advocates and security experts continue to warn that remote digital voting systems, whether mobile apps or cloud portals, do not have strong enough security guarantees for prime time. On Friday, a group of federal agencies including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Election Assistance Commission sent a risk assessment to states, warning that “electronic ballot return technologies are high-risk even with controls in place.”

National: HackerOne cuts ties with mobile voting firm Voatz after it clashed with researchers | Sean Lyngaas/CyberScoop

HackerOne, a company that pairs ethical hackers with organizations to fix software flaws, has kicked mobile voting vendor Voatz off its platform, citing the vendor’s hostile interactions with security researchers. It’s the first time in its eight-year existence that HackerOne, which works with companies from AT&T to Uber, has expelled an organization from its bug-bounty-hosting platform, a HackerOne spokesperson said. The decision comes after Voatz assailed the motives of MIT researchers who found flaws in the company’s voting app. “After evaluating Voatz’s pattern of interactions with the research community, we decided to terminate the program on the HackerOne platform,” a HackerOne spokesperson told CyberScoop. “We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing.” It is the latest security-related setback for Voatz, which is trying to make inroads in a market dominated by traditional voting machine manufacturers. In the last two years, a smattering of U.S. counties have used the Voatz smartphone app in elections to try to improve turnout.

National: Cybersecurity Experts Say Hacking Risk Is High for Mobile Voting | Kartikay Mehrotra/Bloomberg

While Senators Amy Klobuchar and Ron Wyden push to expand vote-by-mail programs, a small group of companies argue for an alternative, one they claim will boost voter participation nationwide: mobile voting. Jurisdictions in at least 15 states are planning to use mobile balloting in a limited capacity in 2020 to account for overseas voters and those with disabilities. Proponents of a digital electorate hope the coronavirus spurs adoption of their technology. The virus has provided an “opportunity,” says Bradley Tusk, chief executive officer of Tusk Holdings and a supporter of mobile voting: “People are being told by the government not to congregate, and that’s a pretty clear directive not to go vote.” Tusk, who says he hasn’t invested in any mobile voting companies, has spent “in the low seven figures” helping local governments cover the costs of adopting the systems. Massachusetts Institute of Technology doctoral student Michael Specter describes Tusk’s position as a “false dichotomy” that ignores postal ballots. He and his colleagues say mobile voting technology is unproven and opens the door to cyber risks. A mobile voting app called Voatz has already been used in federal, local, and partywide elections in Denver, Oregon, Utah, and West Virginia. In a paper published in March, cybersecurity research firm Trail of Bits discovered 79 flaws in the Voatz system, including one that allows someone armed with the proper credentials to alter votes. The paper, funded in part by Tusk and Voatz, expanded on findings published in February by Specter and his MIT colleague James Koppel.

National: Audit finds severe vulnerabilities in Voatz mobile voting app | Benjamin Freed/StateScoop

An extensive audit published Friday of Voatz, the mobile app that’s been used to collect live ballots from overseas voters in multiple states since early 2018, revealed 16 “severe” technical vulnerabilities. These include sensitive user data being exposed to the company’s developers and improper use of cryptographic algorithms, a blow to a company that has staked its reputation on its use of blockchain technology. The audit confirmed the findings revealed last month by researchers at the Massachusetts Institute of Technology who found, among other flaws, that Voatz’s use of third-party vendor to authenticate the identity of its users could compromise the anonymity of ballots the app collects. But unlike other reviews of Voatz’s technology, including the MIT study, the new audit, which was prepared by the cybersecurity firm Trail of Bits, was authorized by the company and Tusk Philanthropies, the venture capital-backed foundation that’s been promoting online voting by funding pilot uses of Voatz around the United States for nearly two years. Among the most glaring vulnerabilities Trail of Bits found was that Voatz had been storing authentication key passwords, which are required to release new versions of the app and could give an attacker an opening to masquerade as Voatz to distribute malware. Researchers also criticized Voatz for its reliance on unvalidated client data and weak security procedures, including a lack of insufficient continuous monitoring and risk-assessment plans. The audit’s executive summary chalks up Voatz’s flaws as a result of the company’s rush to get its app to market.

National: Our Full Report on the Voatz Mobile Voting Platform | Trail of Bits Blog

Voatz allows voters to cast their ballots from any geographic location on supported mobile devices. Its mobile voting platform is under increasing public scrutiny for security vulnerabilities that could potentially invalidate an election. The issues are serious enough to attract inquiries from the Department of Homeland Security and Congress. However, there has been no comprehensive security report to provide details of the Voatz vulnerabilities and recommendations for fixing them—until now. Trail of Bits has performed the first-ever “white-box” security assessment of the platform, with access to the Voatz Core Server and backend software. Our assessment confirmed the issues flagged in previous reports by MIT and others, discovered more, and made recommendations to fix issues and prevent bugs from compromising voting security. Trail of Bits was uniquely qualified for this assessment, employing industry-leading blockchain security, cryptographic, DARPA research, and reverse engineering teams, and having previously assessed other mobile blockchain voting platforms. Our security review resulted in seventy-nine (79) findings. A third of the findings are high severity, another third medium severity, and the remainder a combination of low, undetermined, and informational severity.

Read our Voatz security report and threat model for full details.

Washington: Senate committee reviewing Secretary of State’s election security bill | Northern Kittitas County Tribune

Secretary of State Kim Wyman’s election-security legislation, Senate Bill 6412, received a hearing in the Senate State Government, Tribal Relations and Elections Committee recently. The bill aims to bolster election security on four fronts — eliminate cyber threats by removing risky electronic ballot-return methods, improve third-party ballot collection, provide post-election security through statistical audits, and appropriate $1.8 million in order to draw nearly $9 million in federal matching funds to augment security. Sen. Hans Zeiger, R-Puyallup, is sponsoring the bill. “These critical election security improvements cannot wait. Cyber criminals are relentless, and in this upcoming, momentous election cycle, voters need to have confidence that our systems are secure and their information will remain protected,” said Wyman. “The race to secure our elections has no finish line, but Senate Bill 6412 propels elections officials in the right direction for 2020 and beyond.” Testifying in support of the bill was Kirstin Mueller, election-security issue chair for the League of Women Voters of Washington. “Over the last few years, detailed cybersecurity reports have been released, outlining what each state can do to improve the security of their elections. These reports have many recommendations in common – ensure a secure chain of custody of voted ballots, require paper ballots that voters have marked by hand or with the use of an assistive device, perform statistically based post-election audits that can catch and correct incorrect election outcomes, and keep all elements of voting and tabulation away from the internet. This legislation improves Washington’s election security in all of these critical areas,” Mueller said. “We believe this bill provides the right balance of access and security, and it protects organizations like the League, who want to help, by providing a way to track ballots.”

West Virginia: Secretary of State opts for different voting application for electronic absentee ballots | Chris Lawrence/WV MetroNews

The Secretary of State’s office will go with a different vendor as they work to expanded electronic absentee voting in West Virginia during the 2020 election cycle. Secretary of State Mac Warner has announced that for the upcoming primary election, West Virginia will use the Democracy Live electronic voting system after testing the Voatz app in the last election cycle. “They’ve been around for a decade. They’ve participated in elections throughout the United States since 2010 and they have a fully compliant A-D-A functionality in their system which allows a voter who is blind or visually impaired to mark their ballot without assistance,” Deak Kersey, general counsel for the West Virginia Secretary of State’s office said. West Virginia was part of a pilot program in 2018 and allowed members of the military stationed overseas to vote via the Voatz App.The Voatz App was on a mobile phone whereas Democracy Live is on a fixed server. According to Kersey, only 144 voters used the App in West Virginia’s 2018 general election and only 13 during the primary. It was a pilot project and a test.

West Virginia: State will NOT use controversial voting app Voatz during primary elections | Internewscast

West Virginia has announced it will not be using the voting app Voatz app after researchers found it is ‘riddled with vulnerabilities’. The US state employed the technology in 2018 to troops overseas and was also set to implement it in the upcoming primary elections for residents with disabilities  However, the flaws, uncovered earlier this month by MIT engineers, give hackers the ability to alter, stop or expose how an individual users has voted. Secretary of State Mac Warner said on Friday that disabled and overseas voters will now use a service by Democracy Live which lets them log in to fill out a ballot online or print an unmarked ballot and mail it in. West Virginia has announced it will not be using the voting app Voatz app after researchers found it is ‘riddled with vulnerabilities’. The US state employed the technology in 2018 to troops oversease and was also set to implement it in the upcoming primary elections for residents with disabilities  The US state was set to employ Voatz following a new bill that requires counties to provide certain individuals with a type of online ballot-marking device that can be used with a smartphone.

West Virginia: After damaging report, West Virginia moves away from Voatz internet voting app | Anthony Izaguerre/Associated Press

West Virginia is opting not to use a widely criticized voting app in the state’s coming primary elections after a blistering report found potential security flaws in the platform. Donald Kersey, general counsel in the West Virginia Secretary of State’s office, said Monday that an MIT analysis of the Voatz app “gave us enough pause” to instead use a different system for the May elections. The decision came as state officials had to choose an online voting system to comply with a new law requiring electronic ballots for people with physical disabilities. Last month, an MIT study found that Voatz, which has mostly been used for absentee ballots from overseas military personnel, has vulnerabilities that could allow hackers to change a person’s vote without detection. The researchers said they were forced to reverse engineer an Android version of the app because the company hasn’t allowed transparent third-party testing of the system. The Voatz app was used to tally fewer than 200 ballots in West Virginia’s 2018 elections and didn’t have any problems, state officials said. The app has also been used in pilots in Denver, Oregon and Utah.

West Virginia: State backtracks on using Voatz smartphone voting app in state primary | Kevin Collier/NBC

In a surprise turnaround, voters with disabilities in West Virginia won’t be voting with their smartphone the state’s primary in May. They’ll instead be able to use a system that prints out their completed ballot, which they can then mail in. Friday afternoon, West Virginia Secretary of State Mac Warner announced that disabled and overseas voters will be able to use a service by Democracy Live, which lets users log in to fill out a ballot online or print one out and maig it in. It’s a sudden pivot from the state’s embrace of Voatz, a smartphone app that aimed to boost turnout by letting people vote from their phone but that has been heavily criticized by cybersecurity experts. A handful of counties across the U.S. have offered Voatz to overseas and military voters in federal elections, as the city of Denver did in its 2019 mayoral election. But West Virginia offered it to counties statewide. On Feb. 5, the state passed a law requiring its counties to give voters with disabilities the option of eceiving ballots electronically, starting with the May 12 primary elections.

Virginia: Mobile Voting Proposal Has Lawmakers Worried | Danny Bradbury/Infosecurity Magazine

Mobile voting is coming to the US, but is that wise? A proposed Senate bill in West Virginia will introduce electronic voting for people with disabilities, enabling them to cast their vote in the 2020 US election even when they can’t get to a voting station. According to local media, local officials are likely to use an existing mobile tool called Voatz, which allows people to place electronic votes using their smartphones. It’s an app that officials in Virginia already use to register votes for overseas military personnel. However, the use of any Internet-based voting tool goes directly against the advice of the National Academies of Sciences Engineering and Medicine. In September 2018, it published a report that said: “At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots. Further, Internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the internet.”

Editorials: There’s always a threat to voting online | Huntingdon Herald-Dispatch

It shouldn’t take an MIT genius to figure out that any internet-based voting system can be hacked, but apparently it did. Last week researchers at the Massachusetts Institute of Technology said the Voatz app, which has been used in West Virginia and elsewhere by absentee voters and military personnel, has vulnerabilities that could allow hackers to change a person’s vote without detection. The Voatz developer said the analysts used an older version of the app. It accused them of acting in “bad faith.” So far the app has been used by fewer than 600 voters in nine pilot elections. Voatz was used in West Virginia’s elections in 2018 by fewer than 200 voters. No problems were reported. Last month, the Legislature approved a bill that would allow voters with physical disabilities to use the Voatz app in this year’s election. The bill awaits the governor’s signature or veto.

National: Security experts raise concerns about voting app used by military voters | Brian Fung/CNN

Security researchers are reporting flaws in a smartphone-based voting app that’s been used by military voters overseas and is now being tested for use in the US. The vulnerabilities could allow nation-state hackers to view, block or even change smartphone ballots before they’re counted, according to a new paper written by three researchers at the Massachusetts Institute of Technology. The app is designed by the company Voatz, whose technology has been piloted so far in West Virginia, Colorado and Utah. The company called the report “flawed” in a statement posted to its website Thursday. “We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” Voatz said in the statement. “The researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.” The report comes amid rising concern about the use of apps and online voting tools in the 2020 election following the failure of reporting tools in the Iowa caucuses.

National: Smartphone voting stirs interest — and security fears | AFP

West Virginia’s disabled residents and overseas military personnel will be able to vote by smartphone in the US presidential election this year, the latest development in a push to make balloting more accessible despite persistent security fears. Rising interest in electronic voting has heightened concerns among security experts who fear these systems are vulnerable to hacking and manipulation that could undermine confidence in election results. Overseas service members from West Virginia first voted by smartphone in 2018 with the blockchain-powered mobile application Voatz, which is now being tested in some elections in Colorado, Utah, Oregon and Washington state. West Virginia recently expanded the program to people with physical disabilities. A report released Thursday by Massachusetts Institute of Technology researchers uncovered Voatz “vulnerabilities” which could allow votes to be altered and potentially allow an attacker to recover a user’s secret ballot.

National: Voatz of no confidence: MIT boffins eviscerate US election app, claim fiends could exploit flaws to derail democracy | Thomas Claburn/The Register

Only a week after the mobile app meltdown in Iowa’s Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia’s 2018 midterm election. They claim the Android app is vulnerable to attacks that could undermine election integrity in the US state. Based on their findings, published today in a paper [PDF] titled, “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” researchers Michael Specter, James Koppel, and Daniel Weitzner conclude that internet voting has yet to meet the security requirements of safe election systems. “We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” their paper states. “We additionally find that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality.” Specifically, the researchers discovered that malware or some miscreant with root access to a voter’s mobile device can bypass the host protection provided by mobile security software known as the Zimperium SDK.

National: Researchers Find Security Flaws in Voatz Mobile Voting App | Andrea Noble/Route Fifty

A mobile voting app used by West Virginia and several local governments in the 2018 midterm elections contains vulnerabilities that could allow hackers to determine how someone voted or even change their vote, according to a report released Thursday by security researchers. Researchers from the Massachusetts Institute of Technology found the security flaws in the Voatz voting app, which was originally designed as a way for overseas service members to cast ballots. The researchers said their findings underscore prior security recommendations that the internet not be used for voting. “Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election,” said Michael Specter, a graduate student in MIT’s Department of Electrical Engineering and Computer Science. “Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.” In addition to West Virginia, several local governments, including ones in Washington state, Colorado, Utah and Oregon, have conducted their own pilots with the Voatz system. Additional states are also considering whether to use the app to assist absentee voters in upcoming elections.

National: MIT researchers find vulnerabilities in Voatz voting app used in multiple states | Maggie Miller/The Hill

A voting app used in multiple states during the 2018 midterms elections to allow for more accessible voting has cyber vulnerabilities that could allow for votes to be changed or exposed, researchers at the Massachusetts Institute of Technology (MIT) found. In a paper published Thursday, three MIT researchers found that Voatz had vulnerabilities that “allow different kinds of adversaries to alter, stop, or expose a user’s vote” and that the app also had several privacy issues due to the use of third-party services to ensure the app functioned. The researchers found that if an individual were able to gain remote access to the device used to vote on the Voatz app, vulnerabilities could have allowed that person to discover and change the votes cast. The researchers described their findings as being part of the first “public security analysis of Voatz” and noted that they used reverse engineering of the Android Voatz app to come to their conclusions. The Voatz app was used during the 2018 midterms in some municipal, state or federal elections in West Virginia, Colorado, Oregon and Utah. The company allows voters to cast their votes via an app and was rolled out in West Virginia as a way for overseas military personnel and other voters unable to physically go to the polls to cast their votes.

National: ‘Sloppy’ Mobile Voting App Used in Four States Has ‘Elementary’ Security Flaws | Kim Zetter/VICE

A mobile voting app being used in West Virginia and other states has elementary security flaws that would allow someone to see and intercept votes as they’re transmitted from mobile phones to the voting company’s server, new research reveals. An attacker would also be able to alter the user’s vote and trick the user into believing their vote was transmitted accurately, researchers from the Massachusetts Technology Institute write in a paper released Thursday. The app, called Voatz, also has problems with how it handles authentication between the voter’s mobile phone and the backend server, allowing an attacker to impersonate a user’s phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn’t actually used in the way Voatz claims it is, thereby supplying no additional security to the system. The research was conducted by Michael Specter and James Koppel, two graduate students in MIT’s Computer Science and Artificial Intelligence Lab, and Daniel Weitzner, principal research scientist with the lab. Election security experts praised the research and said it shows that long-held concerns about mobile voting are well-founded.

West Virginia: State Expands Online Voting as Security Worries Grow | Patrick Groves/Government Technology

West Virginia, which has become an early tester of blockchain voting, is expanding Internet voting to include those with physical disabilities. But the move comes just as researchers from the Massachusetts Institute of Technology (MIT) have published a paper asserting that Voatz — the app West Virginia has been using in its pilot tests — has serious flaws, including the ability of bad actors to change votes without voters’ knowledge. Gov. Jim Justice signed SB 94 into law last week giving the secretary of state permission to create a system that allows people with physical disabilities to vote electronically. The Office of the Secretary of State lauded its success with Boston-based vendor Voatz that tallied 144 ballots from uniformed and overseas citizens in 2018. The Secretary of State’s Office may choose the startup again to enact the new law’s mandate for the 2020 primary and general elections. But election security experts and computer scientists have grown increasingly skeptical of the cybersecurity surrounding voting apps, especially after a mobile app used during the Iowa Caucus recorded data accurately but only reported it partially due to a coding error.

National: Voting on Your Phone: New Elections App Ignites Security Debate | Matthew Rosenberg/The New York Times

For more than a decade, it has been an elusive dream for election officials: a smartphone app that would let swaths of voters cast their ballots from their living rooms. It has also been a nightmare for cyberexperts, who argue that no technology is secure enough to trust with the very basis of American democracy. The debate, long a sideshow at academic conferences and state election offices, is now taking on new urgency. A start-up called Voatz says it has developed an app that would allow users to vote securely from anywhere in the world — the electoral version of a moonshot. Thousands are set to use the app in this year’s elections, a small but growing experiment that could pave the way for a wider acceptance of mobile voting. But where optimists see a more engaged electorate, critics are warning that the move is dangerously irresponsible. In a new report shared with The New York Times ahead of its publication on Thursday, researchers at the Massachusetts Institute of Technology say the app is so riddled with security issues that no one should be using it.

National: MIT researchers identify security vulnerabilities in voting app | Abby Abazorius/MIT News

In recent years, there has been a growing interest in using internet and mobile technology to increase access to the voting process. At the same time, computer security experts caution that paper ballots are the only secure means of voting. Now, MIT researchers are raising another concern: They say they have uncovered security vulnerabilities in a mobile voting application that was used during the 2018 midterm elections in West Virginia. Their security analysis of the application, called Voatz, pinpoints a number of weaknesses, including the opportunity for hackers to alter, stop, or expose how an individual user has voted. Additionally, the researchers found that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users.

Utah: Lawmaker says Iowa caucuses a cautionary tale for online voting | Art Raymond/Deseret News

Issues in the recent Iowa Democratic caucuses with a smartphone app are a further reminder, according to one Utah lawmaker, that the state should move slowly and deliberately toward any future change to a statewide online voting system.

To that end, Rep. Mike McKell, R-Spanish Fork, is sponsoring a proposal to spend some 20 months on a study to determine what, if any, digital voting system is secure enough to trust with running Utah elections. That proposal, HB292, got unanimous support from the House Government Operations Committee on Wednesday and is now headed to the full body for further consideration. Ahead of the meeting, McKell told the Deseret News the proposed study isn’t due until October 2021 and would have no impact on the upcoming general election, nor the 2021 off-year municipal elections. The goal of the study, McKell said, is to take the necessary time to do a thorough assessment of the potential advantages, and pitfalls, of moving the voting process into the digital realm. “I think we need to slow things down and commit to a thorough review of internet voting,” McKell said. “I think there are a lot of pressures in play to use new technologies and take advantage of efficiencies they can bring. “But we just saw a whole host of problems in Iowa … that are a reminder that we’re just not there yet.”

National: Iowa’s app fiasco worries mobile voting advocates | Tonya Riley/The Washington Post

The fiasco caused by an app that failed to properly transmit votes in the Iowa caucuses is worrying the mobile voting industry, which hoped 2020 would be a banner year. Companies — and proponents of incorporating more technology into elections — are trying to avoid being lumped in with the hastily made app used in Iowa. They’re saying its failure proves serious investment in user-friendly, secure election technology is more critical than ever. “We need to ensure that every new idea is tested, transparent and secure — just like the eight successful mobile voting pilots conducted to date,” Bradley Tusk, the founder and CEO of Tusk Philanthropies, said in a statement. “Enough is enough. 2016 should have been enough of a wake-up call. Iowa just confirmed it.” Tusk Philanthropies has funded pilots for mobile voting across the country, launched in a push to increase participation in elections. Unlike the app used in Iowa, which was developed to relay vote counts, the pilots use technologies that allow voters to easily vote from their mobile phones. So far, the pilots have largely been limited to eligible uniformed and overseas voters and voters with disabilities. But any expansion is sure to fall under an even more critical spotlight. Any malfunction — or hack — of an app used directly for voting in 2020 could have far greater impact in undermining public faith in the Democratic process than one Democratic caucus gone wrong.