On August 6th, 2018, CNN reported that West Virginia will be using Voatz for overseas troops voting in its midterm election. Computerized voting is generally viewed as a Bad Thing™ by basically anyone familiar with software security. Voatz’s security was pretty handily critiqued on Twitter following the CNN report. I don’t have anything to add to that thread, but you should go read it, it’s a fun one.
I’m more concerned with what happens when the app doesn’t get hacked:
Denial of service
Security vulnerabilities are not the only ways software systems can fail. In Votaz’s blog post response to the Twitter thread, they mention a previous pilot that their system could not handle:
We experienced an instance of an on-premise election in Utah where we were unsuccessful in meeting the needs of the client. We were unable to support the large numbers of voters who simultaneously attempted to download the app and become verified within a short 30-minute period before voting started.
The post states that they have learned from this issue, but the impact that this kind of weakness will have can’t be overstated. Whether through direct and intentional service disruptions (e.g. DDOS attacks) or unrelated service provider downtime, Voatz’s infrastructure will go down when it counts. And when that happens, we’re going to need to figure out how to deal with votes that couldn’t be cast. Local polling places are naturally resistant to the kinds of single-point-of-failure issues that voting apps like this will face. If we don’t carefully design protections against these weaknesses, we’re bound to stumble with the transition to electronic voting.
Poll taxes (of a sort)
Voatz doesn’t go into much detail here, but they restrict the types of devices that can be used with their application.
Only certain classes of smartphones that are equipped with the latest security features are allowed to be used.
I’m inclined to believe that there are legitimate security reasons for this decision. Devices get software and hardware improvements regularly (the iPhone’s secure enclave, for example), and security-focused applications should be able to depend on these features. That being said, splitting the voting population into those who can afford the latest smart phones and those who cannot has problematic implications. The people who won’t own devices compatible with voting apps are the ones who already face voting obstacles. As voting from a phone becomes more commonplace, resources will be diverted away from other methods of voting, and finding the time to vote will become harder for the underprivileged.
On its face, making voting easier via technology seems great. However, when that ease of access comes with a $500+ price tag, it becomes a paid express lane that will likely hurt voter turnout more than it will help.
The West Virginia Voatz white paper states that the pilot is limited to active duty West Virginians and their dependents. According to the DMDC’s June 2018 report, there are 209 active duty members of the military from West Virginia. Given the size and well-known identities of the voters in this pilot, I expect the Voatz app to work flawlessly in the upcoming election. Any necessary identity verification can certainly be done by humans at this scale.
Voatz advertises the use of facial recognition technology to verify identity, which will be necessary to scale their platform without significant additional staff. Unfortunately, current iterations of this software tend to fail in the worst ways. In a recent report by the ACLU, 28 members of congress (disproportionately people of color) were incorrectly matched to a mugshot photo database using Amazon’s Rekognition product. (I should note that Amazon’s response makes some valid points and is worth reading. There’s a lot to unpack on this topic alone, so I’ll just say this for now: defaults matter, and this is one of many reasons we need to insist on transparency and expertise instead of putting blind faith into technology.) This isn’t the first example of facial recognition failing in this fashion, and it certainly won’t be the last. We can’t depend on a system that uses faulty software that may fail resulting in the loss of legitimate votes.
What are we to do?
I have some requests:
West Virginia (and other governments): it’s not too late to walk this back. When virtually everyone qualified to evaluate something says that it’s bad, they shouldn’t be ignored. The XKCD comic linked above sums it up better than I can.
Instead of committing to a buzzword-filled solution that’s sure to backfire, make voting more accessible via efforts like postal voting and extended polling place hours. If we must use voting apps, we should insist that they’re open source, subject to constant and rigorous review, and staffed by anyone necessary to ensure security and stability.
Voatz: you have a bug bounty program, which is a good start. However, your security audit details have changed at least once since the Twitter criticism. The removal of names from the list of companies who have conducted an audit does not inspire confidence. In order for the public to trust any application like this, we need good faith and transparency. Develop your technology out in the open, and let anyone who cares poke, prod, break, and fix it. If someone points out an issue, work with them to improve it, and don’t attempt to spin or rewrite the facts.
Colleagues: Demand accountability from your government. Push for equal accessibility to voting. Find any weaknesses in voting software that you can (legally, and with the goals of improving it). And finally, be ready to jump in and help put out some fires.