During the 2018 midterm elections, somebody tried to hack Voatz, the blockchain-based voting system used by West Virginia. The attack was unsuccessful, but is under investigation by the FBI, said Andrew Warner, West Virginia’s secretary of state in an Oct. 1 press conference.
“In last year’s election, we detected activity that may have been an attempt to penetrate West Virginia’s mobile voting process,” said Warner. “No penetration occurred and the security protocols to protect our election process worked as designed. The IP addresses from which the attempts were made have been turned over to the FBI for investigation. The investigation will determine if crimes were committed.”
The hacking attempt may have stemmed from an election security class at the University of Michigan, CNN reported Friday (Oct. 4).
Last November, 144 West Virginian voters—including active members of the US military serving overseas—used Boston-based Voatz, a blockchain-enabled smartphone application, to cast their ballots for the Senate and House of Representatives as well as for state and local offices. That’s a small number, but could be consequential, especially in close races. Four seats in West Virginia’s House of Delegates were decided by less than 150 votes.
Through Voatz, users must verify their identities using multifactor authentication and facial recognition software. Then, they can access their ballots and submit their votes. The system also uses a paper trail for backup. However, researchers worry Voatz’s setup provides insufficient security.
West Virginia isn’t the only place where Voatz has been used in actual elections. Denver also piloted the system for its municipal elections in May, and Utah County used it for local primary elections last month.
Although the hacking attempt on West Virginia’s midterm elections was apparently unsuccessful, it demonstrates that electronic voting presents an immediate hacking target, just as voting experts fear. It also indicates that Voatz might be more secure than previous electronic voting methods, such as email. However, it’s hard to assess Voatz’s robustness, in part because of the company’s insistence that auditors sign non-disclosure agreements. Many election experts have worried about Voatz’s lack of transparency, says Slate.
“I have not seen an argument that their system provides software independence, and [Voatz] did not respond when I asked about this,” said Ka-Ping Yee, a researcher who previously reviewed election system technology for the Secretary of State of California. “Their FAQ mentions that ballots are printed out but it doesn’t appear that the voter gets to verify the printout.”
His concern has been echoed by other voting experts including Matt Blaze, a computer science and law professor at Georgetown University Law Center.
“A particularly worrying aspect to me is the reliance on personal mobile phones,” Yee told Quartz. “Security measures applied to the digital ballot after votes are entered into the phone, such as storing votes on a blockchain, do not protect users from attacks before that point, on the process of viewing the ballot and entering their votes.”
With 2020 elections on the horizon, Voatz has hardly opened itself for public examination. Expanding its usage, especially against the better judgment of voting experts, appears premature and perhaps even irresponsible.
In June, Voatz raised $7 million to continue working on its software. And before that, the company raised $2.2 million from the venture division of Overstock.com. In August, Overstock CEO Patrick Byrne abruptly resigned after revealing his relationship with Maria Butina, a woman who pled guilty to being a Russian agent.