One of the online voting technologies that’s already made it out for testing in five states is highly insecure, according to a new report published Thursday by researchers from MIT. The app can be hacked to alter, or block, or make ballots public, according to the results of their testing. It was developed by Boston-based for-profit company Voatz, and has been used in actual elections in Denver, Oregon, and Utah, and in 2016 at the Massachusetts Democratic Convention and the Utah Republican Convention. It was also used for Americans voting overseas in the 2018 West Virginia midterms.
Oregon Democratic Sen. Ron Wyden has been pushing for the Department of Defense and the NSA to audit Voatz after a report from CNN last fall and after attempting to get the company to answer his calls for the release of its internal security audits. “I raised questions about Voatz months ago, because cybersecurity experts have made it clear that internet voting isn’t safe,” Wyden said in a statement obtained by Mother Jones. “Now MIT researchers say this app is deeply insecure and could allow hackers to change votes. Americans need confidence in our election system.” He added, “It is long past time for Republicans to end their election security embargo and let Congress pass mandatory security standards for the entire election system.” It most definitely is.
The company is refuting the MIT report, calling it “flawed” and claiming that the app tested was an old version that had been replaced more than two dozen times, that it didn’t attach to actual servers but instead to simulated servers, and that the MIT researchers were basing their report on assumptions about how the back-end technology worked. An election security expert at the University of Michigan was not impressed by Voatz’s rebuttal. Alex Halderman told Mother Jones, “The Voatz response doesn’t seem to dispute any of the specific technical claims in the MIT paper. That’s very telling, in my view. If any of it is wrong, Voatz should say what, specifically, that is. They don’t seem to even say the more recent version of the app works differently.”
Again, Voatz is refusing to work with Wyden and provide its own security audits, which suggests that, yeah, maybe they’re hiding something there. The clear choice for states and localities now is to drop any plans they had to use the app for voting. They should also be raising holy hell with their senators to get election security legislation onto the Senate floor and enacted.