Voting Security by Example: Voatz

West Virginia is running an experiment: they’re using Voatz, a mobile-phone based voting system, to help overseas soldiers vote. It’s commendable to try new voting ideas in limited pilot settings, and it’s really commendable to help our military vote. However, there’s one really concerning thing about this proposal: there’s no real technical explanation about how it works.

This lack of technical information is almost always a really bad sign, because the most secure systems tend to be the ones that have received intense public vetting. That said, let’s use this as an opportunity to ask the questions that matter, whether you’re using Voatz or any other voting system. If the Voatz team has answers to these questions, I’d love to hear them and I’ll gladly provide feedback.

1. How are voters authenticated, and who checks the authentication? Voatz says they use biometric authentication… but who performs that check? Is it their servers? Does the public then trust Voatz to decide who gets to vote and who doesn’t? Is there some way to audit this process? Does Voatz have a pre-existing list of registered voters they’re checking against? If so, does that mean that we’re also trusting Voatz not to stuff the ballot box, i.e. add a bunch of votes at the last minute “on behalf of” voters who haven’t shown up yet and thus likely won’t?
2. How do voters check that their vote was properly recorded? Is there a way for a voter to check that their vote was recorded as intended? In particular, how does a voter know that their mobile phone wasn’t infected by a virus, that the Voatz software correctly captured their intent, and that the vote isn’t tampered with sometime after it leaves the phone? “Blockchain” is not nearly enough of an answer to this, since a blockchain only guarantees tamper-proofness after it receives data. What happens before? (Also, if we’re talking blockchain… who runs this particular blockchain? Is it the Bitcoin blockchain? Another blockchain? Who runs the servers?)
3. How is voter privacy enforced? If voters do have a way to check that their vote was correctly captured, is their vote still private? Does anyone have the power to link a voter to their ballot content? Does Voatz? If not, how does Voatz or anyone else check that votes weren’t modified en route?

Whether you’re evaluating Voatz or any other voting system, you should ask yourself those 3 questions and seek to understand whom you’re trusting at each step. Are we depending on Voatz to guarantee those 3 properties? If not Voatz, who are we trusting?

[“Ballot Box for Alameda County” by Joe Hall, CC BY 2.0]