A small number of Americans will be able to vote in the midterm elections this November by taking a selfie-style video and downloading an app. West Virginia is the first and only state to test out Voatz, a voting app for smartphones. The experiment, which is largely directed at military personnel serving overseas, will allow the soldiers to cast their votes digitally as an alternative to cumbersome absentee ballots. … Ultimately, no one can say with certainty whether Voatz’s app is secure. Nimit Sawhney’s startup launched the software several years ago, and it went on to win a number of awards. But there is very little proof that it is invulnerable.
• To start with, the infrastructure that Voatz uses cannot be secured — i.e., the voters’ smartphones and the networks used to transfer the data. Marian K. Schneider, president of the U.S. advocacy group Verified Voting, lobbies to make voting in the digital era transparent and secure. She has profound reservations about smartphone voting: “Even putting aside the authentication and verifiability issues, nothing in these systems prevents malware on smartphones, interception in transit or hacking at the recipient server end.” She also thinks it wouldn’t be too difficult to tamper with the identity authentication process. And even a targeted interruption of the connection could be enough to influence an election.
• Voatz is also sketchy on details relating to its use of blockchain technology, making it unclear whether it offers a specific advantage over standard databases. “Blockchain technology is the hot new buzzword, and it appears that Voatz uses it in the least effective way,” says Douglas Jones of the University of Iowa, an associate professor of computer science and expert on electronic voting systems. Data in a blockchain is stored in a decentralized way across its network rather than being held centrally, so that it has no centralized points of vulnerability. But in this case, this advantage doesn’t apply. Or at least, Voatz hasn’t responded to this criticism. “With all the servers in the custody of the vendor, a dishonest vendor could do anything they want to the results,” warns Jones.
• Voatz says it has commissioned third-party firm for extensive security audits. But information about these security firms on Voatz’s website has been repeatedly revised in recent days, apparently in response to queries from the media. Still remaining are Security Innovation and the platform HackerOne, where Voatz has offered rewards to anyone who can identify security risks. So far, Voatz has paid out a total of two rewards of $100 and $50. That doesn’t sound much like serious auditing.
• There are no indications that a technical inspection by state authorities took place either. Voatz, at the very least, has made no claims to that effect. If that didn’t happen, it would mean that the public authorities aren’t even aware of what, exactly, is behind Voatz’s technology.
• Internal Voatz code has popped up in at least two places on the platform Github, a mass database where code is uploaded and widely shared. The company claims it was test code unrelated to the real system. But details in the code raise concerns that Voatz doesn’t always attach the utmost importance to common security practices.
Full Article: Voting by Smartphone: – SPIEGEL ONLINE.