For the midterm elections, West Virginia is testing out a new mobile voting platform called Voatz. This is unwise, especially amidst serious concerns, founded or not, about voting integrity and hacking among the US populace (Russian interference etc). To anybody who works even tangentially with software development or cybersecurity it already was a bad idea, but an EU cybersecurity specialist looked into it and it’s even more of a trainwreck than expected.
Twitter thread:
https://twitter.com/GossiTheDog/status/1026603800365330432
Of specific note, while in a lot of cases slightly outdated security technology is not always a big deal, voting software is going to be necessarily subjected to more scrutiny. By his poking around for maybe a day, he found numerous out of date technologies and certificates. As well as numerous rookie security mistakes (default database admin usernames on standard ports, things like that).
They also hired a Russian national a while back who worked on the project, though they claim he’s not with them anymore and didn’t touch the voting aspect. Still, in the political climate it’s not a good look, even if he’s a good person, and voting confidence is as important as actual security. Even a perfectly secure system can cause problems if there’s sufficient doubt and uncertainty about its security.
They also appear to have lied or misrepresented their security audits, and of note haven’t done any actual penetration testing (hiring external testers to break into your system). https://twitter.com/GossiTheDog/status/1027080513922760704
I’ve also heard tell that this platform has been tested in the PA primaries at some point, and they had to stop using it in the middle of the primary and switch to paper ballots because it didn’t work under load, and primaries are much less demanding than real elections. I don’t have a cite for that one though, just scuttlebutt.
Finally, it uses some dodgy blockchain buzzword stuff that isn’t adequately tested or trusted enough to really be deployed in an election setting.
XKCD is on point with this one: xkcd: Voting Software
My point here isn’t that mobile voting should never be a thing, but that especially with so much tension around our electoral stability and the general importance of this midterm, this is not the time to be deploying untested technologies, especially not one with so many red flags. There are a lot of security experts working on academic papers on related topics, but it’s not in a state where we should be testing this. There are plenty of ways to ensure minorities and others get to vote such as pure vote-by-mail, auto-registration on receiving a state ID, and voting day paid holidays that we have no reason to be turning to something so untrusted and untested.
This thread is mainly for watching how this develops over the next months, unless there turns out to be significant disagreement about Voatz being good, because I’m somewhat curious.