Cybersecurity Experts Say Hacking Risk Is High for Mobile Voting

(Bloomberg Businessweek) -- While Senators Amy Klobuchar and Ron Wyden push to expand vote-by-mail programs, a small group of companies argue for an alternative, one they claim will boost voter participation nationwide: mobile voting.

Jurisdictions in at least 15 states are planning to use mobile balloting in a limited capacity in 2020 to account for overseas voters and those with disabilities. Proponents of a digital electorate hope the coronavirus spurs adoption of their technology. The virus has provided an “opportunity,” says Bradley Tusk, chief executive officer of Tusk Holdings and a supporter of mobile voting: “People are being told by the government not to congregate, and that’s a pretty clear directive not to go vote.” Tusk, who says he hasn’t invested in any mobile voting companies, has spent “in the low seven figures” helping local governments cover the costs of adopting the systems.

Massachusetts Institute of Technology doctoral student Michael Specter describes Tusk’s position as a “false dichotomy” that ignores postal ballots. He and his colleagues say mobile voting technology is unproven and opens the door to cyber risks.

A mobile voting app called Voatz has already been used in federal, local, and partywide elections in Denver, Oregon, Utah, and West Virginia. In a paper published in March, cybersecurity research firm Trail of Bits discovered 79 flaws in the Voatz system, including one that allows someone armed with the proper credentials to alter votes. The paper, funded in part by Tusk and Voatz, expanded on findings published in February by Specter and his MIT colleague James Koppel.

West Virginia was set to adopt Voatz for its May 12 presidential primary, before the state pulled the plug, citing security concerns raised in the paper. Voatz founder and CEO Nimit Sawhney describes the findings as a malicious attack by entities ideologically opposed to online voting. He says state and local election administrators aren’t prepared to handle the burden of an exponential increase in postal ballots, which have been known to get lost and go uncounted. “The current crisis heightens the need to have an alternative method like mobile voting,” says Sawhney, who created Voatz after winning a 2014 hackathon at South by Southwest in Austin. Despite the “animus towards us,” he says Voatz is meeting with potential customers.

Security experts say that even if attackers don’t change votes, their threat to a mobile election system may trigger questions about the credibility of results. According to J. Alex Halderman, a University of Michigan professor who specializes in election security: “We’re at least a decade away, if at all.”

West Virginia now plans to use Seattle-based Democracy Live to handle digital voting in its primary. With Democracy Live, jurisdictions get access to an Amazon Web Services portal where users go to download a ballot or make selections online. Either way, the ballots are printed and counted by local election officials, in contrast to Voatz, which is an all-digital system.

For three weeks leading up to Feb. 11, voters in the Seattle region cast ballots online in an election for a board of supervisors position on the King Conservation District using Democracy Live. The vote was the first election in the U.S. to enable voters to cast ballots by phone, tablet, or computer. It worked without a glitch for the more than 3,000 voters who cast ballots, according to the local election administrator. Bryan Finney, founder and CEO of Democracy Live, says multiple states and local jurisdictions have since approached him. While Finney says he’s discussing testing hacking vulnerabilities with the U.S. Department of Homeland Security, he declined to disclose details of earlier tests.

Senator Wyden isn’t impressed. “Security experts have shown over and over again that online voting isn’t safe, isn’t reliable, and is dangerously vulnerable to foreign hackers,” the Oregon Democrat says. Tusk says that misses the point. “The cybersecurity experts will say it’s terrible if people over the age of 70 are voting on their phone,” he says. “But is that more terrible than them dying of the virus because they voted in public? I don’t think so.”

©2020 Bloomberg L.P.