On the heels of the voting app debacle during the Iowa Democratic caucuses, researchers at MIT have found multiple security- and privacy-related vulnerabilities in an online voting app, Voatz, used in West Virginia during the 2018 midterm elections and on track to be used again for the 2020 contests, according to a security audit released this week.

West Virginia stepped out in front of other states by being the first to use an online voting app, but Voatz, which now also has been used in federal, state and municipal elections in West Virginia, Denver, Oregon, and Utah – and in the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention – “has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” the MIT audit found.

Privacy issues abound as well through the use of third-party services to provide functionality crucial to the app, which targets overseas military and other absentee voters.

“The app itself relies on third party services for user identification, and while modern applications often employ third party services, jurisdictions globally are enacting privacy regulations like GDPR and CCPA in an effort to better inform their citizens on how their data is being collected, processed and retained,” said Tim Mackey, principal security strategist at Synopsys CyRC. “When you consider that casting a vote is an incredibly personal decision for many, collecting excessive voter data or disclosing any aspect of the voting process to a third party should be minimized.”

Voatz took issue with the researchers’ findings, noting that they used an aged Android version of the mobile app (“at least 27 versions old”) that was never used in an election; never connected the app to Voatz servers hosted by Amazon AWS and Microsoft Azure; and “fabricated an imagined version of the Voatz servers, hypothesized how they worked, and then made assumptions about the interactions between the system components,” according to a blog post.

“We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” Voatz wrote. 

“As with the Iowa Caucus app, the Voatz app operates with an assumption that lack of transparency around its operations is a positive trait,” said Mackey. “MIT researchers found that the Voatz development team employed custom encryption strategies which primarily served to obfuscate data flows, but worse enabled a situation where it would be possible to identify which candidate a user voted for.”  

The MIT academics point out that they are not the first to raise issues about the app’s security, but that their report represents the first audit of Voatz and that the results paint a bleak picture of the security of online voting. “Our findings serve as a concrete illustration of the common wisdom against internet voting, and of the importance of transparency to the legitimacy of elections,” they said.

Security experts caution that securing online voting technologies is paramount to safe and trusted elections. “When you have a significant portion of the technical sector calling for the use of paper ballots in order to ensure the integrity of election results, it’s a good indicator that there’s a real problem to address,” said Tim Erlin, vice president, product management and strategy at Tripwire. “We simply cannot ignore the clear security risks presented by these new voting technologies. The research is clear and the necessary level of assurance isn’t.”