Category: Technology

Dear DefCon Voting Village, Thanks for Including Us

Posted on by itops

We are grateful to the Voting Village for championing an inclusive “safe mode” DefCon experience this year. Today, inclusivity within the hacker community—just as we’re seeing across the country—is more important than ever. Our shared goals, too, are more important than ever. 

We’re particularly glad to be part of this gathering. It’s really good to see you, and good to be seen. 

We’d like to spend a few moments, now that we are all together, to reaffirm our commitment to this community, to establish a path forward that ensures we have a standard for working together, and finally, to clarify and pose a question to this community around misconstrued information for which we take responsibility for not clearing up sooner. 

We recognize and acknowledge that many have been upset with us—even outraged. We appreciate we’re operating in a critical space and don’t take lightly the pressures from all sides of the aisle. 

Some people don’t like what we’re trying to do—straight up. Some are upset because we require voters to provide an ID for verification. Some say our work is not secure, some say we aren’t transparent. Some—though maybe implicitly—don’t like what we do because our work would allow more people to vote. Some have called us a threat to democracy. 

We hear you. We recognize you care about our democracy. As participants in this space, we are grateful for your voice and participation. We recognize it is critical to have differing opinions, and healthy debate.  

We will be the first in line to say we are not perfect—just like the United States’ current voting system isn’t perfect. We are sure we could have navigated situations with better clarity in the past. 

We are here for an important reason, and we are firmly committed to doing better, each and every day, in service of our mission—that those who are disenfranchised with their current voting options—whether military, overseas or disabled voters—have access to a safe, secure, verifiable method of voting. In our view, and we hope yours too, email, fax, and postal mail simply do not cut it for these groups. They are neither reliable or secure and for some, they violate their right to a private ballot.

In light of our mission, we must say this—our ability to collaborate with you all is critical.  

A Code of Conduct for Elections

We believe the Voting Village at DefCon is an opportunity to create a pathway for this collaboration, where inclusivity and a code of ethics are clearly outlined. We look forward to being part of the conversation with you, and we’re curious about what we all, collectively, can learn from the Voting Village’s Code of Conduct as a model for how we might govern election platforms, election officials, and researchers to avoid miscommunication and misinformation. 

In the end, it is up to all of us to set and maintain a standard. 

Finally, we’d like to address the situation that has pitted a few passionate voices against us because, respectfully, it is a textbook case of misreporting and repetition escalated into a dangerous environment of misinformation and mistrust. 

The 2018 Attempted Intrusion: What Happened 


First, we’d like to lead with the fact that we have never reported anyone to the FBI, nor to any law enforcement. 

Here’s what happened: an attempted hack was made during the West Virginia midterm election in October 2018. The Voatz system was being used to service the state’s deployed military voters, their families, and overseas citizens. 

The attempt was identified and blocked, and we reported the activity to the West Virginia state elections team as per standard and required protocols. We did not report anyone to the FBI, nor to any law enforcement. This is not our role. 

For context, election infrastructure in the U.S. is designated by the DHS as “critical infrastructure”, along with 15 other sectors, which makes any tampering and interference a federal crime. There are established procedures for reporting any attempts made on critical infrastructure. 

The actor(s) who made the attempt in 2018 had not registered for our public bug bounty program, nor used the test system available on the bug bounty program. They did not reach out to us to indicate that their activities were in good faith, and they performed activities that were indistinguishable in terms of a malicious or well-intentioned user. 

As stewards of critical infrastructure, authorities in West Virginia called upon the US Attorney’s Office and held a press conference to issue their report on the attack, resulting in an FBI investigation. At this event, United States Attorney Mike Stuart issued a strong statement emphasizing the seriousness of election security.

Voatz does not doubt that the actors may have made some assumptions that led them to believe that attacking a live election system may have been permissible. As per the United States Attorney Mike Stuart’s statement, this is not allowed. 

One of our core operating principles is to consistently monitor, assess, and report on all aspects of the development and piloting process of our platform. That means reporting all attempts to our client (the jurisdiction). Failing to report a threat to the (jurisdiction) would be an oversight as a company entrusted to ensure that ballots are delivered securely. 

There have also been claims that our bug bounty program in use at that time was retroactively updated. To be clear, this is false. All updates were recorded by the public bug bounty system, and there is no way for bug bounty terms to be retroactively applied or updated without showing the update timestamps, or for them to appear in its change history.

Despite this statement and our efforts to clear the misinformation, we are fully aware of the suspicion against us and that some, no matter the facts, will not accept them—this is the nature of the current media landscape. Our commitment is that we will continue to be available for those who wish to collaborate with us.

Conclusion & Call to Action

Finally, we’d like to end with an open call. This space, as you all well know, is inherently complex. We’d like to invite you into an open dialogue around how you might consider the roles of all participating parties in our critical infrastructure—whether election officials, cybersecurity experts, or voting technology providers. It will take all of us the ability to work together to ensure the security of this very critical infrastructure.

It is abundantly clear that we have the same goal—protecting voters and their ability to participate in our democracy—and we all must be able to enter into dialogue. How should we work together for that goal? We firmly believe that we must move forward to expand more secure options beyond mail-in voting, email, and fax, and we need to do that as a community. Taking a cue from this Voting Village, what should our “Code of Conduct” be for working together and paving a path forward to secure our elections?

We would love to hear from you, whether in the form of participating in our bug bounty program, or with your thought and feedback sent to the email ID (cos at voatz dot com), where you can reach us with follow-up reflections and questions. We will respond in private (if you prefer),  or publish responses and questions post DefCon.

We welcome your feedback and look forward to collaborating—and, truly, thank you for welcoming us.

10 Reasons Why Smartphone App Voting is better than Web Browser Voting

Posted on by itops

Many assert categorically that “Internet voting” is not secure—but this blanket statement does not consider the recent developments in technology, nor the differences in security across internet-based voting platforms.

Bottom line: Voting using an app on your smartphone is NOT the same thing as voting on an internet web browser on your computer (or smartphone).

We’ve outlined the above comparison to depict the security differences between a voting app and a voting website. To experience a full download of this graphic—with detailed explanations of each feature—click the button below.

Download Full PDF

Voatz Mobile Voting Platform Verified as Compliant with Federal Voting System Guidelines by Independent Testing Lab

Posted on by itops

BOSTON, July 21, 2020 /PRNewswire/ — Voatz, a leading mobile voting platform, meets the applicable requirements for U.S. voting systems, according to Pro V&V, an independent, federally-certified Voting System Test Laboratory (VSTL). 

Pro V&V recently completed comprehensive testing of the Voatz Remote Accessible Ballot Delivery, Marking and Return (RABDMR) System.

In a 47-page report, Pro V&V concluded that the Voatz platform “meets the applicable requirements set forth for voting systems in the U.S. Election Assistance Commission (EAC) 2015 Voluntary Voting System Guidelines (VVSG), Version 1.1, with clarifications or exceptions noted in Section 4.0 of the final version of Pro V&V Test Report.” 

summary of the report has been made public on the Voatz website, along with a link to the full report.

Conducted over a five-month period, Pro V&V’s testing included Accuracy testing to verify specific voter selections and that the “voter’s encrypted, emailed ballot receipt and jurisdiction’s printed ballot match the voter’s choices.” 

Their testing also included an analysis of the Voatz mobile applications’ use of native smartphone accessibility capabilities, including screen readers, predictive layout and navigation, voice control, and flexible session timeout limitations, as well as the application’s language capabilities (Spanish). 

Security Testing involved an audit of the Voatz application source code, testing procedures and compliance with industry standards. As the report states, “Pro V&V verified various controls and measures to meet the required security standards including: protection of the critical elements of the voting system; establishing and maintaining controls to minimize errors; protection from intentional manipulation, fraud and malicious mischief; identifying fraudulent or erroneous changes to the voting system; and protecting the secrecy in the voting process. During the security evaluation, Pro V&V was able to verify that the Voatz RABDMR utilized a blockchain-based infrastructure from the server throughout the remainder of the process.”

“We are pleased with Pro V&V’s conclusions that Voatz operates exactly as it’s designed to operate,” said Nimit Sawhney, Voatz’s Co-Founder and Chief Executive Officer. “Their findings confirm our expectations, and add further fuel to support our mission that citizens can vote securely using a smartphone application and have total confidence their ballot is counted while remaining fully secret.”

Voatz has completed 67 elections to date, performing as expected in each of them, including 11 governmental elections. In 2018, Voatz partnered with the West Virginia Secretary of State’s office to enable a first-in-the-nation mobile voting pilot, which allowed deployed military service people to vote for the first time using an app on their smartphones. 

About Voatz
Voatz is an award-winning mobile elections platform that leverages cutting-edge technology (including remote identity verification, biometrics and a blockchain-based infrastructure) to increase access and security in elections. Since 2016 Voatz has run 67 elections with states, counties, cities, towns, universities, nonprofits, and both major state political parties in multiple states for convention voting. Learn more here.

About Pro V&V 
Pro V&V is one of only two testing labs that is both certified by the EAC as a Voting System Testing Laboratory (VSTL) and accredited by NIST through the National Laboratories Accreditation Program (NLAP).

See Voatz’s White Paper Published at the 2020 NASS Summer Conference

Posted on by itops

Voatz recently submitted a white paper shared by the National Association of Secretaries of State (NASS), entitled “Standardization of Remote Ballot Marking & Return Through a Rigorous National Study & Examination”.

The paper calls for a comprehensive study focused on defining the security and functional requirements for apps designed to receive the appropriate blank ballot, enable marking of the ballot, and assure the return of a ballot using a commercial off-the-shelf computer. This study should consider if these apps can take full advantage of the security features of the platform, while being able to verify the voter, secure their markings of the ballot, encrypt & guarantee the return of the marked ballot all while assuring the anonymity of the voter.

We recommend including experts from a cross-section of organizations, federal agencies, representatives from disenfranchised communities, and technologists to determine a process to establish, test, and deploy systems that will support our democracy. The most inclusive effort will allow significant participation from the private sector and outreach to voters.

The paper contends that a well-executed and transparent study of remote ballot marking will provide comfort and confidence to citizens and other stakeholders that the systems that states are choosing to deploy meet rigorous federal government guidelines and widely accepted standards.

A link to the paper can be found on the NASS website here.

 

Voatz and Take Back Action Fund partner to drive access to voting

Posted on by Justin Witkowski

Voatz and Take Back Action Fund announced their partnership to champion secure voting options for those who cannot vote, or who are challenged to vote in person or on paper.

BOSTON (PRWEB) JULY 15, 2020

Voatz, a secure mobile voting platform, and Take Back Action Fund, a non-profit that is  dedicated to making sure that everyone can join the electoral process, today announced their partnership to champion secure voting options for those who cannot or who are challenged to vote in person or on paper. This call-to-action specifically and especially impacts our deployed military service personnel, overseas citizens, and voters with disabilities.  

At a time of deeply polarized debates questioning the legitimacy of every step of the electoral process, we are joining together to build a state-level enfranchisement campaign based on the idea that everyone has the right to a secure and secret ballot. 

We know that having a successful election in November 2020 will mean that everyone, irrespective of circumstances, will be able to exercise their right to vote. Yet, as we’ve witnessed in the primaries, in-person voting descended into chaos in many cases, people with disabilities faced multiple levels of challenges on election day, and U.S. citizens in roughly 100 countries are completely cut off from postal mail, making it nearly impossible for deployed military and overseas citizens to send in a secret ballot. 

Take Back Action Fund will start its grassroots and activist work in West Virginia, which pioneered and successfully implemented mobile voting for these specific groups in a successful 2018 pilot. Voatz partnered with the state at the time, with military service people participating from 26 countries. 

Take Back Action Fund will work to unite non-profits, military service members, and local disability rights groups to voice their concerns about current voting options and work to create a seat at the table for everyone. Take Back Action Fund will send a clear message that recent advancements in technology have made it possible to deliver an uncompromised, private vote in these critical elections. 

Nimit Sawhney, co-founder and CEO of Voatz said, “Making voting accessible for everyone is our driving mission at Voatz. We believe our platform can make voting not only more accessible but also more secure for certain segments of the population when compared to their current options. Our experience with West Virginia in 2018, and our overall 67 successful elections (11 governmental pilots) have showcased that we can deliver a secure and private ballot.” 

John Pudner, Executive Director at Take Back Action Fund said, “We recognize the painful situation unfolding in our nation right now and its major impact on our ability to vote in person. I’ve spent the last couple of weeks observing and listening to disenfranchised groups from across the country who have been particularly vulnerable to these shocks to the system, and it is more apparent than ever that in order to enact systemic change, we must ensure a seat at the table for everyone. There is no one solution that will ensure everyone can vote. With Voatz, we see that it’s possible to securely bridge the limitations of vote by mail and voting at a polling station.”

About Voatz 
Voatz is an award-winning mobile elections platform that leverages cutting-edge technology (including biometrics and a blockchain-based infrastructure) to increase access and security in elections. Since 2016 Voatz has run more than 67 elections with cities, universities, towns, nonprofits, and both major state political parties for convention voting. Learn more here.

About Take Back Action Fund 
Take Back Action Fund or TBAF (also recognized by the IRS as Take Back Our Republic Action Fund) launched on May 5, 2015, three months after its sister organization Take Back Our Republic (Take Back).  TBAF is a conservative, non-partisan 501(c)(4) organization.  

Voatz Completes Mobile Voting Election in South Dakota

Posted on by Justin Witkowski

Summary: The Republican party of South Dakota offered mobile voting to all delegates in its virtual convention last weekend with 85% delegates voting through the Voatz app. 50% of those voters submitted ballots within the first 20 minutes of the voting window. 

Boston, June 25, 2020 — Following the momentum of successful virtual conventions in both Utah and Arizona, last weekend Voatz successfully completed its third virtual convention with no incidents, generating elevated participation numbers and record engagement. The convention brought together delegates from 31 counties and concluded on Saturday, June 20, 2020. 

Dan Lederman, Chairman of the South Dakota Republican Party, said “Our goal was to create a convention experience that energized the Republican party in South Dakota and replicated an in-person convention. An uncontested convention did not deter delegates from voting, because it was easy. It was a team effort – Voatz worked with us for four weeks ahead of the convention to credential delegates, ensure a smooth rollout, and provide a test vote to get delegates comfortable with the system. It was a successful day for the South Dakota Republican Party.” 

“Voatz is proud to partner with the South Dakota Republican Party to securely enable their delegates to vote in their convention while, most importantly, keeping them safe during this uncertain time,” says Voatz Co-Founder and CEO, Nimit Sawhney. “This was the first time voters in South Dakota were able to vote through a mobile app in an election, and we were glad to see the enthusiastic response. More than half of the voters using the app submitted their ballot within the first 20 minutes of the voting window opening.  Voatz is excited to replicate the successes we’ve seen in the Utah and Arizona Republican Party Conventions, where record numbers of delegates submitted their votes seamlessly.” 

The successful use of mobile voting in South Dakota is an excellent roadmap for election officials looking to expand voting options in states where mail-in voting and polling places are likely to be impacted by Coronavirus. A mobile voting solution would bring relief to anywhere the population skews more elderly

The South Dakota Republican Party chose Voatz as the mobile voting platform for its virtual convention after clear demonstrations that Voatz could handle the dynamic nature of the convention and the potential for runoff rounds of voting. The platform allowed delegates to vote securely, privately, and electronically through their mobile phones. Voatz helped make the voting process safe and verifiable for delegates and candidates.      

Voatz is an award-winning mobile elections platform that leverages cutting-edge technology (including biometrics and a blockchain-based infrastructure) to increase access and security in elections. Since 2016 Voatz has run more than 65 elections with cities, universities, towns, nonprofits, and both major state political parties for convention voting. Learn more here.

We Cannot Afford to Dismiss Online Voting

Posted on by Justin Witkowski

Below is a letter from Voatz CEO to the editor of The Economist in response to last month’s article, “Why voting online is not the way to hold an election in a pandemic“.

Dear Editor of The Economist,

Allow me to begin by saying that I hold immense respect for The Economist, its well-researched content, and data-driven conclusions. I was surprised, however, to see an almost categorical dismissal of online voting in your article last month, Why voting online is not the way to hold an election in a pandemic.

Whether we like it or not, technology has permeated our lives in undeniable ways, including our vote by mail system (like online absentee requests, voter registration, and electoral rolls). According to Pew Research, an outstanding 75% of adults across the world’s advanced economies own a smartphone, and most of us perform critical work through our mobile devices (including consuming this article).

Without our devices, we have no essential services—banking, telemedicine, news, video conferencing, online faith services, and social interactions—especially in the midst of a pandemic.

Computer science academics who argue that “no electronic system can be fully immune to cyber-attacks and technical issues” are missing the inclusion of key technological advances in their findings: fingerprint and facial authentication, the immutability of a digital signature, cryptography, and the decades-long work championed by Bill Gates and others in the field of trustworthy computing. Remarkably, these advances are all now embedded within our current-generation smartphones and can be leveraged to secure our ability to vote remotely. These arguments against online voting also overlook the very real imperfections of the current system, and its lack of resilience—during the U.S. 2018 midterm elections, for example, nearly half a million mail-in ballots were not counted, and many of those voters were not informed.

These arguments rob our critical infrastructure of the nuance demanded for consideration, and they keep our country locked in the past, actively shutting out citizens from participation. They also ignore the multiple, successful pilots that began in 2018 to enable deployed military, overseas citizens, and voters with disabilities to vote more easily and securely from the safety of their mobile devices. 

If we can agree that online voting is someday inevitable, how will we get there without the support of pilots and testing? 

This pandemic has revealed, in plain sight, the glaring flaws in our current voting systems. They are not resilient. There is no room for contingencies or disruptions. In a COVID-19 world, we must consider all methods to secure access to the vote—and this includes safe and auditable ways to conduct voting online. 

The time for piloting and testing is now. I will champion any initiative that works in tandem with local officials to ensure the security and integrity of each vote. With all due respect, however, shutting down the conversation is not the way to get ready for voting during this pandemic—or even the next. 

Sincerely,

Nimit Sawhney
Co-Founder and CEO, Voatz

State-of-the-Art Security Performs First-Rate Threat Mitigation in Largest Mobile Voting Exercise

Posted on by Justin Witkowski
A few weeks ago, nearly 7,000 votes were submitted using the Voatz mobile voting platform. During the election, our advanced security threat detection mechanisms were able to detect, mitigate and thwart a handful of smartphones that had malware, were operating on insecure networks, or had insecure applications installed. The ability to detect, log and mitigate these types of threats is unique to the Voatz mobile voting platform. To do this, we combine widely-used threat detection software with our own technology to safeguard the voting process. This ensures that only voters with secure smartphones are permitted to cast a ballot, and if the system detects any threats on the smartphone, a voter will not be able to vote. In short, if a voter has a compromised device—whether they know about it or not—they’ll receive an error and will not be able to vote.

Threat Mitigation

In the election, a handful of voters had compromised devices and were prevented from voting until their device threats were mitigated. In some instances, voters were asked to remove malware on their devices. In others, some voters were asked to delete certain applications or functions they had installed which made their smartphones insecure. These voters were unable to vote until they did so. These cases reveal important, cutting-edge data that indicates the system is capable and successful in both detecting threats at a very granular level, and mostly, ensuring a secure vote. Below includes compelling statistics around the types of malware or applications detected, along with the device type. First, what’s interesting to note is that despite far more voters voting from an iPhone, far more threats were detected at the Android level:

Mitigated Threat: Network Security Threats

A network security threat means that a device is operating on a WiFi network that isn’t safe. Voatz doesn’t allow voters to vote from an unsafe WiFi network because it could lead to a “Man-in-the-Middle” attack, or a malicious attacker hijacking traffic, stealing credentials, or delivering malware to the device. If a voter tries to vote on an unsafe WiFi network, they receive error messages and are asked to switch to a different network in order to vote.
# of iOS devices detected with a network threat, over time
# of Android devices detected with a network threat, over time
Threat detected: Voatz detected (18) iOS devices and (17) Android devices to be operating on insecure WiFi networks. These voters were unable to submit their ballots as a result. Mitigation: These voters were asked to switch to a more stable cellular or WiFi network, reboot their device, and then they were able to submit their ballots.
1 Android device threat detected with ARP poisoning
Threat detected: Voatz detected (1) Android device to be susceptible to ARP Poisoning (meaning the device was operating in an insecure network environment, perhaps with an appliance that was interfering with the network traffic). Mitigation: After this cause was discovered, the voter was asked to remove the offending network appliance from the network and then was able to proceed.

Mitigated Threat: Device Pin Not Set

If a smartphone doesn’t have a device PIN set, that means that the person who owns the smartphone hasn’t yet setup their smartphone’s PIN or activated their biometrics to keep the phone secure (i.e. when they go into the phone, as a safety measure they have to enter the device PIN or use their biometrics to get inside).  Voatz doesn’t allow voters to vote from a device that doesn’t have a PIN set, because it leaves the device susceptible to easier access if an outside bad actor were to obtain physical access to the device. If a voter tries to sign up with Voatz and doesn’t have their device PIN set, the voter will receive an error until they set their device PIN or enable biometrics.
# of iOS devices detected with PIN not set, over time
# of Android devices detected with PIN not set, over time
Threat detected: Voatz detected (3) iOS devices and (89) Android devices that had not yet set their device pin. Mitigation: They were requested to activate their device pin or biometrics and after, were able to proceed with voting.

Mitigated Threat: Sideloaded Apps

Sideloaded apps are applications that have been installed on a device, typically by bypassing the device’s security protocols. Voatz detects any time a device has a sideloaded app installed, because some sideloaded apps can contain malware. Even if the the sideloaded app is benign, as an extra precaution Voatz detects this and then analyzes whether or not it is benign. If it is deemed benign, then the voter is able to proceed. If the sideloaded app contains malware, the voter is requested to remove the application from their device before they are able to proceed and vote.
# of iOS sideloaded apps detected, over time
# of Android sideloaded apps detected, over time
Threat detected: Voatz detected (15) iOS devices and (173) Android devices with sideloaded apps (apps that could potentially introduce a security threat on the device). Mitigation: After investigation, the apps were deemed to be benign and the voters were able to proceed.

Mitigated Threat: Sideloaded Apps with Malware

Malware detected on Android devices
Threat detected: Voatz detected (2) Android devices with sideloaded apps that contained malware. Mitigation: Voters were asked to delete the offending apps and reboot their phones, or to use a different device in order to proceed.

Mitigated Threat: USB Debugging Enabled

USB debugging enablement is a threat only associated with Android devices. It lets the device communicate with a computer, and allows access to specialized areas of the phone otherwise inaccessible. Voatz detects if a device has USB debugging enabled and whether or not that device is connected to a computer. If the device is connected to a computer, the Voatz system will not let a vote be submitted and the voter will receive an error.
# of Android devices detected with USB debugging enabled, over time
Threat detected: Voatz detected (11) Android devices with USB debugging enabled (which allows a smartphone to communicate with a computer). Mitigation: Because the mobile device was not connected to a computer at the time of voting, voters were able to proceed.
[Data provided by Voatz Security Operations]