After damning report, a voting app says it’s secure—but experts have questions

On Thursday, researchers at MIT published an injurious study about vulnerabilities in a "blockchain-based" voting app called Voatz. They found that malicious attackers could penetrate the app and then view, disrupt transmission, or even alter voters' choices.

Despite the niche nature of the app (it's geared towards overseas and disabled voters) and the technicality of the study, the New York Times picked up the news; the integrity of electronic voting is on everyone's mind in the wake of the disastrously botched use of a voting app in the Iowa caucus.

Broadcasting the troubling findings in the Times has prompted public criticism of the app across the internet, and worry by public officials of its use in elections: One county that was planning to use the app has already decided against doing so in the wake of the report.

Voatz vehemently objects to the findings of the study, calling out what it sees as serious flaws in the way in which it was conducted. Namely, it says that researchers used an outdated, reverse-engineered, and partially theoretical version of the app and its server infrastructure instead of the real thing. If they had taken advantage of access to the product through Voatz' bug bounty program, Voatz said, the researchers would have found a much more secure system than what the researchers encountered.

Security experts aren't so sure. Even with the alleged shortcomings of the study, experts see it as a valuable contribution to understanding a new facet of democracy and technology with extremely high stakes.

"By no means is it going to be perfect, but it lays out a pretty good claim that we need some more scrutiny of Voatz," Maurice Turner, a deputy director at the Center for Democracy & Technology, told Mashable. "And it’s a good opportunity for Voatz to take another look and share the security research that they’ve already done."

Founded five years ago, Voatz is a platorm that aims to increase voter turnout and assist overseas citizens (like military personnel) with casting ballots. In 2018, it made headlines (including on Mashable) when West Virginia contracted it as the first "blockchain-based" voting app or a small pilot program.

Its introduction to the world was not entirely smooth. It has been criticized for a lack of transparency about how it functions, for structural flaws in its blockchain auditing system, for use of third party software, and for the fact that experts say blockchain is actually not well-suited at all to voting systems. Moreover, it developed a combative relationship with the security community after it reported a University of Michigan security researcher to the FBI as a "malicious actor."

"We've learned that Voatz responds badly to public research attempting to verify their claims of security," Jacob Hoffman-Andrews, a senior staff technologist at the Electronic Frontier Foundation, told Mashable. "Voatz' approach to third-party security testing raises serious questions about whether they should be trusted, over and above the fundamental unsafety of any e-voting scheme."

All off this led researchers at MIT's Computer Science & Artificial Intelligence Lab to take a deeper dive into Voatz — without the company's knowledge or cooperation. In the introduction to the paper, the researchers specifically cite the Michigan conflict as a reason they didn't engage with the company.

While Turner said he was "surprised" that the researchers neither took advantage of access to the system through the bug bounty program, nor worked with Voatz, he also understands the impetus.

"I’m well aware that Voatz has a mixed reputation amongst security researchers," Turner said. "I could see why there could be some trepidation about engaging with Voatz." However, he also added "It just seems unusual that they wouldn’t have taken an extra step of engaging."

Harri Hursti, a security researcher and co-founder of Nordic Innovation Labs, put it more bluntly. First, Hursti pointed out that there are technical limitations to the bug bounty program that make it not entirely useful for analysis; the researchers also explain their decision not to access the program itself in the paper's discussion.

"Choosing to evaluate this bounty app alone would introduce additional threats to validity, and as the differences between this version and the ones that have been fielded are unclear... Crucially, the bounty does not provide any additional helpful insight into Voatz’s server infrastructure, nor does it provide any source or binary for the API server to test against."

Given Voatz's alleged past behavior and attitude toward researchers, as well as the technical limitations of the bug bounty program, Hursti views the tack the researchers took — of reverse engineering the app, and simulating server communication — as best practices, and their findings as legitimate.

"Voatz has been very hostile towards security research," Hursti said. "The MIT research in my opinion is legitimate. Under these circumstances when the subject of the research is uncooperative, they have done a very good job."

The EFF's Hoffman-Andrews agreed that the MIT research holds up.

"The report is sound," Hoffman-Andrews said. "It relies on common security best practices and reveals some very worrying things about the Voatz app."

Despite recent mainstream worry about voting apps and a legacy of hair-pulling in security about the nightmare of electronic voting, Voatz and other companies are soldiering on. Because of this reality, Turner sees both sides of this story — the app, and the research — as imperative.

"There is definitely a need for continued investment and development, because without that, we can’t actually answer the question 'is this good enough to use in a general election,'" Turner said. "Security researchers are a critical part of that learning and sharing process, which is why overall I appreciate the MIT researches to going to the effort of putting out the report, so vendors like Voatz can incorporate these findings and improve their products."

One can only hope.