Voting via mobile phone is yet another idea whose time has not come.
As xkcd says, it’s “terrifying”.
If you have learned anything from the last three decades, it’s not to trust the first, rushed versions of software. And in the case of voting apps, they are all new, untested, and, frankly, untestable. (I.e., it is very, very difficult to construct a realistic test for a real election.) Worse, many of them are closed systems, that aren’t available for independent evaluation. “Trust us” is the operating principle.
Voatz is one such voting app that is trying to do it right. They have opened their code to the world, and invited researchers to evaluate and test it. In fact, they paid consultants to do a detailed audit of the system. Good for them.
This month the results of the audit were released . It ain’t pretty.
The review covered “over 168,000 lines of pure source code across approximately 2,100 files”, and the nearly 200 pages of results identify 79 issues, including dozens of pretty serious flaws. This is why we do audits before deploying software!
As the review is at pains to say, the overall quality is pretty good. Indeed, 1 bug per 2000 some lines of code is really excellent. Nevertheless, it’s software, therefore it has bugs.
So, no surprise, there.
I did want to point out that this software is touted as using blockchain technology (specifically, Hyperledger), as if that is important. So how does blockchain help meet the needs for trusted transparent anonymous vote casting and counting?
As far as I can tell, the blockchain is used to store/publish the (presumably) validated voted ballots. Once there, the record can’t be easily altered or deleted, and can be examined by anyone with access to the blockchain. That sounds fine, although Hyperledger is a private blockchain, so this isn’t exactly open to anyone. Still, it’s a pretty robust way of posting the recorded votes.
How secure is the blockchain? Well, the blockchain, qua blockchain is pretty hard to mess with. And I doubt there will be many problems with the data on the blockchain, assuming it is good data when it gets there and they don’t mess up getting it there (see below about cryptographic issues).
The problem is that the voting app has a lot more than the blockchain. A lot more.
Think about it: the voter is using their regular mobile device, which is, well out there in their pocket. So, for starters, who knows how hackable any give mobile phone might be?
The app doesn’t actually talk to the blockchain, but in fact communicates with a cloud service which ultimately talks to the blockchain. The app has conversations with the service to handle the identification of voters, hand out correct ballots, and accept and check voted ballots. What could possibly go wrong?
Additional services manage the administration of the election, validating the voters and ballots, and tabulating results. These administrative functions are not accessible to the public. The system is designed to allow detailed audits of all ballots.
All of these service communicate via encrypted channels, and use cryptographic signatures to assure valid access, data integrity, and so on. Everything needs to be cross-validated to make sure that voters are eligible and vote only once, and to make sure the ballots are correct and not lost, and so on. It’s pretty complicated.
Note that even if this system works perfectly, it relies on voter registration processes, ballot design, and other non-digital processes. For that matter, configuring the system, filling up the databases, and so on, depends on humans to do it right.
And, indeed, the security audit identified many potential problems that involved many aspects of these digital processes and also “governance” and other human dominated processes.
I’ll also note that the audit also reports cases of “improper use of cryptographic algorithms, as well as ad hoc cryptographic protocols,” which is pretty serious . This is like a delivery company operating by its own rules of the road. What could possibly go wrong?
So, back to blockchain. One of the big ideas of blockchain is that it is a “decentralized” system, so that you don’t have to “trust” a single server or entity. You can’t “hack” a blockchain easily, because there isn’t any one service to hack. The Voatz system uses blockchain, but that doesn’t mean it is “decentralized” in this way. In fact, everything relies on their cloud services, which must be trusted.
This is why an earlier review was titled, “What We Don’t Know About the Voatz “Blockchain” Internet Voting System” . Quote, Blockchain, Unquote. The use of a blockchain is pretty much irrelevant to the overall security of the system, and to the goals of the voters and election authorities.
Voatz is actually a pretty good system. But “pretty good” isn’t really good enough for the bedrock of popular sovereignty.
Voatz is also a great illustration of the role that blockchain technology plays in this use case: nearly none.
And, by the way, the audit was a very good idea. So good that they should do it again. And again. And again. It will be important to repeat the audit again and again as the problems are (allegedly) fixed. Maybe it will pass, someday.
- David Jefferson, Duncan Buell, Kevin Skoglund, Joe Kiniry, and Joshua Greenbaum, What We Don’t Know About the Voatz “Blockchain” Internet Voting System, 2019. https://cse.sc.edu/~buell/blockchain-papers/documents/WhatWeDontKnowAbouttheVoatz_Blockchain_.pdf
- Trail of Bits, Our Full Report on the Voatz Mobile Voting Platform, in Trail of Bits, March 13, 2020. https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/
- Andrew Westrope, Detailed Audit of Voatz’ Voting App Confirms Security Flaws, in GovTech Biz, March 18, 2020. https://www.govtech.com/biz/Detailed-Audit-of-Voatz-Voting-App-Confirms-Security-Flaws.html