Voatz, an online election app increasingly popular in the United States, is riddled with serious security vulnerabilities, according to a new study from researchers at MIT. They conclude that hackers who strike the Voatz app can potentially alter, stop, or expose individual votes.
The news comes just weeks after a hastily made app fell apart during the Democratic Party’s Iowa caucus, a high-profile failure that put a spotlight on how faulty technology can undermine democratic processes.
“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” said Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab, who guided the research. “We cannot experiment on our democracy.”
Get out the Voatz: Voatz has already been used as a pilot program in federal elections, most recently the 2018 midterm elections in West Virginia as well as previous ballots in Denver, Oregon, and Utah. Around 600 voters were involved, according to the company. Thousands more are set to use the app this year.
Sticks and stones: In response to the study, the company that produced Voatz accused the researchers of faulty analysis, “untested claims,” and “bad faith recommendations.”
In a lengthy statement, the company said the cybersecurity researchers were aiming primarily for media attention and claimed that they seek to “disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
In fact, the researchers took their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency in January, which led DHS to hold private briefings for election officials using Voatz.
“We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” the company said in a statement. “Pilot programs like ours are invaluable.”
Expert view: “The consensus of security experts is that running a secure election over the internet is not possible today,” said James Koppel, one of the MIT researchers. “The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today’s software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take.”
“The choice here is not about turnout,” the report said, “but about an adversary controlling the election result and a loss of voter privacy.”
Everything dies, including information
Digitization can help stem the tide of entropy, but it won’t stop it.
What’s next in cybersecurity
“When it comes to really cutting off ransomware from the source, I think we took a step back.”
Moving money in a digital world
Security is the critical element to expanding digital-first payments.
Cyber resilience melds data security and protection
Organizations face pervasive and sophisticated cyberattacks, but modern data protection techniques can provide a multifaceted defense.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.