The SecureMac Interview: Voatz on mobile voting
Free and fair elections are the cornerstone of any democracy. But in recent years, there have been disturbing questions about the integrity of the U.S. electoral process.
Aside from the well-publicized issue of foreign interference in American elections, many within the security community also worry that there is a fundamental problem with electronic voting machines, which have proven alarmingly vulnerable to tampering and hacking. In addition, partisans on both sides of the political divide have raised concerns about voter suppression, voter fraud, and accessibility.
The situation has led many observers to conclude that we need to overhaul the way we conduct elections. At least one Democratic presidential candidate, Andrew Yang, has openly called for the modernization of voting through the use of mobile technology and blockchain verification.
It is in this milieu that companies like Voatz have emerged, promising to address several of these issues at once by offering safe, secure, and accessible voting through the use of modern technology.
These companies are anything but monolithic, and represent significantly different approaches to mobile voting and to the use of associated technologies like biometric identification and blockchain. It’s fair to say that we are in the early days of mobile voting, and it is still unclear which of these approaches will prove the most viable in the long-run.
However, there are several approaches to implementation which have proven broadly popular. In particular, many proponents of modernized voting hope to leverage the cryptographic power of blockchain technology — the same technology which underpins cryptocurrencies and distributed applications — in order to create a tamper-proof and permanent voting record. This is so often discussed in the context of tech-enhanced voting that many people simply use the term “blockchain voting”, without further qualification, as a catch-all.
But the Voatz team argues that this is a misleading oversimplification when applied to their platform, and make several key distinctions which they say set their approach apart from “blockchain voting” per se:
Voatz is a mobile voting platform that is backed by blockchain technology. This distinction is inherently important to make. Without the use of the advanced security measures embedded in the latest versions of smartphones (i.e. biometrics), paired with facial recognition technology, simply conducting “blockchain voting” would not, in our view, be an appropriate way to run an election.
The combination of these three elements — mobile phones, facial recognition tech, and blockchain tech — are what make voting with a system like Voatz compelling from a security perspective. The first two (mobile phones, facial recognition tech) are used to both verify and secure the voter’s identity, and the last (blockchain) is used as a secure data storage mechanism and for auditing purposes.
It’s also important to distinguish the Voatz platform from what is frequently called “online voting” or “Internet voting”. Voatz explains that there are several crucial differences here as well:
Votes are stored on a public-permissioned blockchain that will eventually be controlled by various stakeholders to ensure their tamper resistance and immutability.
While there are different definitions that may come to mind for “Internet Voting”, the term typically refers to a browser residing primarily on a voter’s PC connected over the Internet to a web server. There are several key differences between traditional Internet voting and Voatz, which is mobile voting backed by blockchain technology (again, not simply “blockchain voting”).
First, only recently-manufactured smartphone models from Apple, Samsung, and Google are supported with Voatz. These devices are built with security features like fingerprint and facial recognition that extend far beyond standard browsers running on a potentially-compromised PC for voter authentication.
Second, modern smartphones provide hardware-based security to store private keys which, in turn, allow highly secure, encrypted transactions to be conducted over the public Internet.
Third, votes are stored on a public-permissioned blockchain that will eventually be controlled by various stakeholders (e.g. a Secretary of State or a state board of elections) to ensure their tamper resistance and immutability.
While accessibility is touted as the most obvious advantage of mobile-based voting, there are other potential benefits as well. In particular, smartphone technology has the ability to address voter coercion, a serious threat to the integrity of democratic elections.
Voter coercion can take many forms. There are, of course, the more blatant examples seen around the world in times of strife: People being forced to vote for the establishment party at gunpoint, or soldiers taken to the polls by their commanding officers and ordered to vote for a particular candidate. But there are also more subtle forms of coercion as well, in which coworkers, neighbors, or even family members can intimidate and pressure a person to vote a certain way. In such scenarios, mobile-voting backed by blockchain could be used to fight back against voter coercion. Voatz explains:
Blockchain technology, when implemented in conjunction with modern mobile devices, can be used as a tool to detect coercion.
For example, there are multiple sensory points on smartphones beyond just tapping the screen, and a number of these sensory queues, as well as others, could help reroute the vote transaction to a provisional chain (like a provisional ballot), allowing the voter an opportunity to cure or resubmit their ballot at a later time when the threat has been mitigated.
It should be noted that no technology can fully protect against coercion by itself. Commonsense procedures and safeguards are essential, as is the case with vote-by-mail systems.
Making sure that voters cast the vote they intend to cast is clearly of fundamental importance in an election. But coercion isn’t the only issue here: Any mobile voting system would need to take steps to minimize the possibility of voters mistakenly selecting the wrong candidate.
Of course, this issue affects traditional paper balloting as well. Ballots with confusing or misleading layouts have certainly been found “in the wild” before, and they are problematic because they don’t just slow down polling, but also have the potential to result in voter errors. Poorly designed ballots can also lead to problems with determining voter intent during the counting phase, which can lead to some votes being discarded due to lack of clarity (perhaps the most famous example of this was the “hanging chads” fiasco during the US presidential election of 2000).
Electronic voting machines have their own issues with voter intent as well, from the same kinds of design flaws that affect traditional ballots to doubts over the reliability of the paper trail provided by these systems.
We asked Voatz how they stack up against traditional paper ballots and electronic voting booths from a UI/UX perspective, asking them what they were doing in terms of app design in order to make sure voters are making the choices that they intend to make, and in order to keep the possibility of confusion or mistakes to a minimum:
We’ve designed several stop-gap measures to ensure that a voter has access to viewing their progress, viewing their responses, and reviewing and/or editing submissions before submitting their ballot.
There are several measures we undertake in our application’s UI/UX design to ensure that the voter’s voting experience is both intuitive and clear.
First, we’ve conducted extensive user research and collaborate closely with our partnering jurisdictions to ensure that the mobile ballot design and the submission process mirror the experience at the voting booth, and also harness best-in-practice design standards that are native to both Apple and Android operating systems. This means, if you’re an Android user and vote with Voatz, your ballot would appear with a design that leverages visual techniques and cues you might otherwise be used to seeing in other apps on your Android smartphone. The goal here is that it’s designed to be as intuitive as possible so that you can navigate your ballot clearly, while also mirroring elements of your experience at the voting booth.
Second, throughout the entire voting process, we’ve designed several stop-gap measures to ensure that a voter has access to viewing their progress, viewing their responses, and reviewing and/or editing submissions before submitting their ballot.
We’ve also instituted ways to let a voter know if they’ve not answered every question, or might have only partially answered a question (in the event they’re able to select more than one choice). Ultimately, we’ve designed the voting process so that the voter is absolutely certain they’re ready to submit their selections before doing so.
Throughout the design process, we’ve also partnered with accessibility experts in order to develop our technology alongside the native iOS/Android accessibility features (like large fonts, Talk Back, VoiceOver, etc.). This means our technology is not only aimed at optimal design for mobile intuitiveness, but also for a community who, with the help of mobile technology and its incredible array of accessibility features, could also feasibly vote using the Voatz application alongside one of their phone’s native accessibility features.
The last measure we’ve instituted in our voting process, is that upon submission of their ballot, a voter receives an anonymized ballot receipt with their choices so that they can verify their vote was counted, and counted as they intended. This anonymized receipt also facilitates a post-election audit in order to increase transparency into the election system as a whole.
Mobile voting backed by blockchain is still in the early stages of deployment and development. And in elections in which it has been used, it has only been one channel of many by which citizens could vote. At the moment, concerns over the technology from critics and supporters alike tend to center around issues like security, privacy, and technical reliability. But if mobile voting one day becomes the dominant form of casting votes in our elections, social justice and political concerns may emerge as well.
There could, for instance, be voter access issues if local elections boards decide to reduce polling stations or cut back on poll workers due to lack of interest. While those using mobile voting would not be affected, anyone not comfortable with technology or lacking access to higher-end smartphones might find it more difficult (or at least, less convenient) to vote.
Similarly, the nature of mobile voting as envisioned by Voatz could raise questions about voter suppression, since the system requires a passport or driver’s license to be uploaded as part of the authentication process. Mass adoption of this form of mobile voting could be seen as a “back door” to states requiring strict voter ID, something which is extremely controversial. Critics of past proposals to require voter ID at the polls argue that it is a way of effectively disenfranchising groups with less access to official forms of identification.
We asked the team at Voatz to comment on these issues, and to tell us what, in their view, could be done to ensure maximum accessibility under a widespread blockchain-backed mobile voting system.
With respect to voter access, it’s important to remember that this is a multifaceted issue. First, for example, several jurisdictions have expressed interest in expanding mobile voting pilots as an option for voting to the disability community, many of whom face significant challenges with the current voting options available (i.e. mobility to get to the polls). As mentioned before, we leverage the accessibility features native to smartphones to make our voting platform accessible as a basic part of our design process.
With regard to polling locations and access, we don’t foresee mobile voting fully replacing the option to vote in-person at the polls in the near future. The option to vote in person will remain for anyone who appreciates being able to vote this way. We see mobile voting backed by blockchain as supplemental to the current, in-person system, and for those who opt in to “vote mobile” rather than in-person, we’ve worked hard to design a secure process that feels intuitive, understandable, and accessible. We believe it is important that the method of voting be a choice for the voter, depending on their circumstances.
Last, with regard to voter ID, this is a necessary tradeoff for a voter who wants the convenience of voting from a smartphone, due to the need for verifying and securing the identity of the voter. In the event that a voter does not want to use an ID, they always have the option to vote in person. In the event that a voter does not want to use their phone’s biometrics capabilities (thumbprint or Face ID), they can use their Voatz security PIN, which is established at the time of the Voatz sign-up process.
Voatz has already conducted successful elections in several jurisdictions. These were, by and large, uneventful — but in one of the elections, a threat to the Voatz platform was detected. A few vociferous critics pounced on the story, claiming that it was evidence of the inherent insecurity of mobile voting and presenting it as such in their reporting. We asked Voatz to comment on the incident and set the record straight:
During the West Virginia pilot, there was an unsuccessful attempt to gain entry into the Voatz system. The attempt was detected, blocked and reported in detail to the West Virginia Secretary of State’s Office, which decided to pursue further action at their discretion.
This situation is analogous to the following example: Imagine you lived on a street and one night, two suspicious actors wandered past your front door, rattled the handle and tried to break in, but the door was locked. Cameras caught the entirety of their attempt and the full details of the suspects, and reported it to you, the owner.
There was an unsuccessful attempt to gain entry into the Voatz system. The attempt was detected, blocked and reported in detail.
While probes into IT systems and general infrastructure across the nation are fairly common, as of January 2017, the Department of Homeland Security designated election infrastructure as part of the nation’s critical infrastructure, a section under DHS’s Government Facilities Sector. As a result, any attempts to tamper with an election system are illegal, and therefore, we felt it necessary to report, and will continue to do so with any such attempts in the future.
We remain vigilant and committed to following industry standard best practices around information security, and partnering with jurisdiction and law enforcement officials to ensure that our election infrastructure remains protected. While we don’t encourage hacking attempts in a live election scenario, we do encourage “white hat” hacking, and are the first elections company in the world to have a public bug bounty program, and are open to conversation with anyone interested in learning more on how to participate.
The issue of cybersecurity in mobile voting is obviously of great concern to anyone who knows how dangerous the threat landscape has become over the past several years. APT groups and nation-state actors are increasingly active, targeting not only Windows and Android systems but also macOS and iOS devices as well.
As part of its core security protocols, Voatz checks voters’ devices for evidence of malware infections or compromised systems. If Voatz finds any hint of a threat, the app won’t allow the user to vote with the device.
We asked Voatz how their malware detection protocols could defend against the kinds of 0-day threats or custom-built malware that APT groups and nation-state actors are capable of deploying, and what could be done to safeguard the platform against sophisticated malicious actors:
Security is never static in time and no system can be 100% safe, however, there are ways to make it safe enough and resilient enough such that it can survive in the presence of threats.
We deploy all tools at our disposal to stay ahead of the threat actors, including simulating multiple threat models (like the ones you list above), and deploying honeypots to determine how our system would react in the presence of these threats.
We are also the first elections company in the world to run a public bug bounty program and welcome community input to help make our system more resilient.
Last, at the close of each election, we partner with the National Cybersecurity Center to conduct rigorous post-election audits of all ballots submitted via mobile device. These audits are open to public participation and involve an audit of the voter’s voted paper ballot, the voter’s ballot receipt, the data on the blockchain, and the overall county tabulation output. These audits ensure that all choices match up, that voter intent is reflected in the tabulations, and that the choice counts match the numbers on the election data output. Learn more about the post-election audit process here and here.
Finally, we asked Voatz what was on the horizon for the company, where they thought mobile voting was heading in general, and what sort of timeline to widespread adoption they would predict:
We have more upcoming pilots slated for 2020, both domestically as well as a few potential scenarios abroad. We are excited about the expansion to include voters with disabilities, a demographic that faces significant barriers within our current voting infrastructure.
With regard to a broader adoption of mobile voting backed by blockchain, there are adaptations that our legal infrastructure will have to make. Timing on widespread adoption? We’d say that hopefully within the next 5 to 10 years, more citizens will have an option to “vote mobile”.
We thank the team at Voatz for taking the time to tell us about their work and to give us their insights into the political and technical issues around mobile voting. If you would like to learn more about Voatz, please visit their website or follow them on Twitter.