Who is Voatz?
Voatz is a mobile elections platform that makes it possible to vote from a mobile device by leveraging the security built into the latest versions of smartphone technology, and the immutability of the blockchain. Since June 2016, more than 80,000 votes have been cast on the Voatz platform across more than 30 elections. Voatz has experience working with both major political parties, churches, unions, universities, towns, cities, and states, all in the effort to make it safe, convenient and easy to vote.
Why is Voatz in the elections industry?
Voatz was started in 2015 by the co-founders after winning a hackathon at SXSW with an idea that would become the early seedlings of the Voatz platform. With careers in technology,digital security and mobile payments, they started an experiment to combine the latest advancements in smartphone technology with biometrics and blockchain technology in order to make voting more accessible and potentially evade voter coercion in certain circumstances. Voatz has since grown into a group of passionate people, all working to make voting as safe, accessible, easy and secure as possible.
Is this internet voting?
While there are different definitions that may come to mind for “Internet Voting”, the term typically refers to a browser residing primarily on a voter’s PC connected over the Internet to a web server. There are several key differences between traditional Internet voting and Voatz. First, only recently-manufactured smartphone models from Apple, Samsung and Google are supported with Voatz. These devices are built with security features, like fingerprint and facial recognition, that extend far beyond standard browsers running on a potentially-compromised PC for voter authentication. Second, modern smartphones provide hardware-based security to store private keys which, in turn, allow highly secure, encrypted transactions to be conducted over the public Internet. Third, votes are stored on a permissioned blockchain that will eventually be controlled by various stakeholders (e.g. a Secretary of State or a state board of elections) to ensure their tamper resistance and immutability.
Why the smartphone?
The smartphone is used for platform readiness, security and convenience. In the United States, according to Pew Research, the rate of smartphone ownership was 94% of people ages 18-29, 89% of those ages 30-49 and 73% of those ages 50-64.
What smartphones are supported?
iPhone 5s or newer, and select Android handsets (2016 or newer) from approved device manufacturers are currently supported.
What happens if someone doesn't have a smartphone?
Mobile voting is simply one voting channel. Any voter without a smartphone that meets the security requirements can still vote the way they have in the past.
What happens if the smartphone is hacked?
Only smartphones that support the necessary security requirements can run the Voatz app, either from the iOS App Store for Apple phones, or the Google Play Store for Android phones. These requirements include support for biometric authentication and running the latest version of the operating system. The Voatz app takes advantage of the capabilities of the supported smartphones, which can detect if the operating system has been tampered with (e.g. an operation known as a “jailbreak”). The Voatz app does not permit a voter to vote if the operating system has been compromised. We recommend reviewing the mobile security documents listed in the "Resources" section of this FAQ, as well as the “Blockchain & Security” sections of this FAQ for additional information.
If a device is compromised, the Voatz platform goes to significant lengths to prevent a vote from being submitted. Beyond only operating with certain classes of smartphones with the latest security features, Voatz ensures end-to-end vote encryption and uses multiple approaches for malware detection. We recommend reviewing the mobile security documents listed in the "Resources" section of this FAQ.
How do we know if the Voatz app can be trusted?
The Voatz app is built with security measures embedded in qualified smartphones and employs blockchain technology to ensure that, once submitted, votes are verified and immutably stored on multiple, geographically diverse verifying servers. In addition, Voatz generates a voter-verified audit trail with each vote cast. Upon casting a vote, voters also receive an automatic, digitally-signed receipt with their selections in order to review that their vote was recorded properly. The election organizer also receives an anonymized copy of the digital receipt, ensuring that a post-election audit may be conducted between the paper trail, the anonymized receipt, and the blockchain.
Beyond enabling multiple audit trails, Voatz has submitted the smartphone voting app to independent third party security firms for audit and undergoes frequent, rigorous, ongoing “red-team” testing. In addition, Voatz is the 1st elections company in the world to run an open bug bounty program on HackerOne for community vetting of its upcoming platform releases.
Has Voatz run pilots or elections before?
Yes. To date, Voatz has conducted more than 30 successful live elections that range from state party conventions, student government elections and town meeting voting. A number of these elections were scoped as pilots that have led to longer-term relationships with clients. In the largest election, more than 15,000 votes were cast. The purpose of all the Voatz pilots is to first and foremost deliver on stakeholder expectations, while also continuing to learn and improve the Voatz platform.
How does voter authentication work?
On the Voatz app, authentication is a three-step process that uses the smartphone’s camera and its biometric feature (i.e. fingerprint recognition or facial recognition): (1) the voter scans their state driver’s license or passport, (2) takes a live facial snapshot (a video “selfie”), and (3) touches the fingerprint reader on the smartphone, which ties the voter’s device to the voter. Once the voter is authenticated, the app matches the voter’s “selfie” to the facial picture on their passport or driver’s license and confirms the voter’s eligibility to vote against the state’s voter registration database.
What is the purpose of voter authentication?
Authentication verifies that the voter is who they say they are, that their jurisdiction confirms they are eligible to vote, and that their identity is biometrically tied to the smartphone being used.
Is Voatz registering voters?
No. Voatz partners with election officials’ to access the state voter registration databases, then Voatz ties the voter’s identity to the voter’s record to ensure they’re registered before enabling them to access their ballot.
How do I vote?
Voting with Voatz is only available in elections that are engaging the technology on a pilot-basis or on a contractual-basis.
If voting in an eligible election, the process begins when an eligible voter receives a ballot from their county, typically at the beginning of the early voting window. The voter will receive a red badge notification from their Voatz app, indicating they now have the option and eligibility to cast a ballot(s) in an ongoing election. The voter opens the Voatz app on his or her smartphone and unlocks it with their fingerprint or Face-ID to begin voting. Selections for choices (candidates or ballot questions) are made one contest at a time by touching a candidate’s name. Voters are prevented from selecting more choices than allowed to ensure that only their allotted number of votes count. At any time before submission, the voter can review their choices and make changes if necessary. Once finished, the voter submits their ballot. Once submitted, all information is anonymized, routed via a “mixnet” and posted to the blockchain.
Is there a paper trail?
Yes, a paper ballot is generated on election night for every mobile vote recorded on the blockchain and the printed ballots are tallied using the standard counting process at each participating county. This also facilitates a post-election audit by comparing the paper ballots with the anonymized voter-verified digital receipts generated at the time of vote submission.
How do I know my vote was counted?
Once a voter submits a ballot, a “pending” message appears on their smartphone. While the ballot is in a pending state, the blockchain verifying servers are simultaneously and independently attempting to verify the ballot. Once one blockchain server performs a verification the other servers can instantly confirm the verification. After every blockchain server has confirmed the vote(s), every copy of the blockchain is updated and a confirmation message is sent to the voter’s smartphone. If you try to vote again, the Voatz app will indicate that you’ve already voted.
What is the West Virginia Mobile Voting Pilot?
The 1st phase of the West Virginia Mobile Voting Pilot was conducted during the 2018 primary election in Monongalia and Harrison Counties. This pilot was the first time that registered military personnel, their spouses, dependents and citizens stationed overseas could cast an official ballot on a smartphone and have their vote secured by blockchain technology.
The 2nd phase of the pilot was conducted during the 2018 midterm elections and was expanded to West Virginia’s UOCAVA voters in 24 counties.
How does this compare to other military voting initiatives?
The West Virginia Mobile Voting Pilot follows the same set of administrative procedures that jurisdictions typically follow to authenticate overseas military voters and determine their eligibility to vote. The difference is how official ballots are delivered to qualified voters, and how ballots from qualified voters are returned to the jurisdiction.
Current options for overseas military personnel include email, fax or postal mail, all of which are insecure, do not preserve privacy, and are often inconvenient to the voter. The returned ballots from these earlier options also imposed a burden on the jurisdiction’s staff because they could not be tabulated without manual transcription.
This pilot enables an authenticated military voter to cast a secret ballot conveniently on a familiar, secure device — their smartphone. Instead of being stored on a single, Internet-connected server, in this pilot, votes are recorded on redundant and geographically distributed servers running open source blockchain software. Once the voter goes through the setup process, ballots from the jurisdiction will simply appear on his or her smartphone at the start of early voting. The balloting process is frictionless; the voting process is simple, secure and anonymous.
Does the West Virginia pilot run on the public bitcoin blockchain?
No. The Voatz ‘permissioned’ blockchain is built using the HyperLedger blockchain framework first created by IBM, now supported by the Linux foundation. This type of blockchain is distinctly different than permissionless blockchain frameworks, like Bitcoin. In order to participate in the permissioned blockchain, a voter or auditor must first be verified. In the West Virginia pilot, 4 to 16 verified validating nodes are being used, split between multiple cloud providers, each of which are geographically distributed. In the future, the Secretary of State or an independent State Election Board can increase the number of nodes and designate which organizations (e.g. political parties, universities, the media, NGOs, non-profits, auditors,etc.) can participate in the blockchain network as verifiers.
We believe that the initial rollout of a blockchain-based election technology benefits greatly from using a permissioned approach, as it more accurately emulates how elections are administered presently in the United States and prevents intentional bad actors from participating as verifiers.
I’m stationed overseas and my county opted in. How do I participate?
To participate in the West Virginia’s Secure Military Mobile Voting pilot, a qualified and eligible voter must (1) submit a Federal Post Card Application (FPCA) to their county clerk indicating they would like to receive voting information via email or online (this process can be done via email in West Virginia); (2) once the voter receives confirmation from the Clerk, download the free mobile voting app from Voatz, Inc.; (3) authenticate themselves, and (4) upon receipt of the ballot, vote.
How is the West Virginia pilot different from the Sierra Leone blockchain pilot?
In the Sierra Leone blockchain pilot, voters still marked paper ballots, which were then manually re-coded and uploaded onto a blockchain network. In the West Virginia pilot, voters verify their identity and submit their votes directly through the smartphone-based Voatz app, which immediately uploads them to the blockchain for verification, rather than passing into someone else’s hands and then hitting the blockchain.
How does the Voatz blockchain work?
Blockchain is sometimes called “distributed ledger technology” (DLT). This is because it behaves like a general ledger with debits on the left side and credits on the right. Unlike a company’s general ledger, which typically exists on a single computer, the blockchain ledger is distributed across multiple, geographically-separated servers. These servers are called “verifiers” because their function is to verify the authenticity of the blocks (i.e. collection of votes) containing anonymous votes before they are added to the blockchain. Once a block is verified and added to the collection of previous blocks — the blockchain — the votes are copied to each verifying server and cannot be changed.
For more information on how blockchain works, we recommend starting with the videos listed in the “Resources” section of this FAQ.
Once the voter is verified, election jurisdictions initiate the process by sending a qualified voter a mobile ballot. Contained in the mobile ballot are “tokens“ — think of them as potential votes — which are cryptographically tied to a candidate or ballot measure question. The number of tokens a given voter receives is the same as the number of ovals he or she would have received on a paper ballot handed out at the voter’s precinct or sent through the mail. The voter then makes their desired selections on the Voatz app on their smartphone. These selections alter the tokens (like filling in a ballot oval). Overvotes are prevented, as each voter only receives a total number of tokens as they have potential votes. Once submitted, the votes for choices on the ballot are verified by multiple distributed servers called “verifiers”, or validating nodes. Upon verification, the token is debited (i.e. subtracted) from the voter’s ledger and credited (i.e. added) to the candidate’s ledger. The blockchain on every verifier is automatically updated and the process repeats as additional voters submit their selections.
The Voatz blockchain is built using the HyperLedger blockchain framework. The minimum number of validating nodes used is four, and these can be expanded to 16 or 32 for the pilot as needed, depending on the anticipated number of participants. Additional scaling is planned for the future.
How is the infrastructure different from the bitcoin infrastructure?
The bitcoin infrastructure allows an unauthenticated individual to conduct public transactions on a public network where anyone can become a verifier (called a “miner” in bitcoin terminology). In contrast, Voatz requires a voter to be fully authenticated before they can cast an anonymous ballot over a permissioned blockchain infrastructure.
Unlike bitcoin, which uses a "permissionless" infrastructure, Voatz uses a “permissioned” infrastructure. This means that only those vetted via an independent KYC process are permitted to run the verifying nodes on the blockchain. Typically, these nodes would include all the stakeholders in an election such as the major political parties, NGOs, non-profits and independent auditors, etc.
For the West Virginia pilot, Voatz had arranged to deploy managed server nodes housed on multiple cloud providers (and some bare metal servers) with each node being under the supervision of an independent volunteer systems administrator. Going forward, it is anticipated that the Secretary of State or an independent State Election Board would be the authorizing body to designate which organizations can participate in the blockchain network as verifiers.
The permissioned network is a deliberate choice, selected to most closely reflect the way current elections are administered where multiple stakeholders are part of the process (i.e. major political parties, NGOs, independent auditors, etc.).
How is anonymity preserved?
Blockchain technology, when used for financial transactions like Bitcoin, cannot be totally anonymous (rendering the term “pseudonymous”), however, when used in voting with the Voatz application, the identity of the voter is doubly anonymized: first by the smartphone, and second by the blockchain server network.
After authentication, the Voatz app encrypts the voter’s identity, ties the phone to the voter via their fingerprint, and deletes all identifying information (photo, identity record). This process ensures that any identifying information is not stored. Once authenticated, voters can vote on mobile ballots they receive from their jurisdiction. If, for any reason, the voter falls off the voter registration rolls, the jurisdiction will no longer send a mobile ballot and the voter must restart the process of registration and authentication.
How can votes stored on the blockchain be audited?
In the West Virginia pilot, a paper ballot is automatically generated and printed for each mobile ballot submitted on the blockchain, then tabulated like a normal absentee ballot. This ballot contains information that can be used in an audit to ensure that every vote cast from a smartphone was counted exactly once, and counted correctly. A real-time voter-verified receipt is also generated, which will allow the state to conduct a post-election audit.
If a user’s phone or mobile network is compromised, is their vote compromised as well?
The Voatz platform goes to significant lengths to prevent a vote from being submitted if a device is compromised or has malware on it. Only certain classes of smartphones that are equipped with the latest security features are allowed to be used. Detecting a compromised mobile network is particularly challenging for a mobile application, which is why ensuring end-to-end vote encryption and vetting the certificates represented by unique IDs stored on the smartphone are two of the approaches we use to mitigate a compromised mobile network.
Has this been vetted by independent third party auditors?
Yes. Following the first West Virginia pilot, independent technology firms were engaged to vet the Voatz system. Reputable pen-testing companies were engaged to conduct penetration testing on the system and to inspect the source code of the backend systems and the Voatz smartphone applications for both iOS and Android. A public HackerOne (bug bounty) program has been opened to continuously analyze and test the implementation of the blockchain network and the mobile applications.
Additionally, tools provided by Comodo/HackerGuardian and Qualys SSL labs were used to conduct vulnerability scans and SSL testing. See more under “Security Audit”.
Organizations like the NASDAQ, the World Economic Forum, the National Institute of Standards and Technology (NIST) and companies like IBM and Intel, have conducted extensive security analyses of blockchain technology. Since blockchain technology supplies the underlying security infrastructure of the Bitcoin network where billions of dollars are exchanged, it has been widely vetted. According to the New York Times, in the first quarter of 2018 venture capitalists had invested $500 million in 75 blockchain deals.
Why won’t Voatz publicly share their source code, or why won’t Voatz open-source their platform?
Like other election providers, Voatz is a for-profit company that has developed a proprietary technology, aiming to create a competitive advantage around elections accessibility, transparency and security. While we recognize this stance precludes Voatz from publicly sharing source code, we continue to submit to ongoing, independent third party security auditors, and invite the public to participate in our ongoing Community Voting Days in Boston this Fall.
Is some Voatz code available on Github?
No. The code posted on GitHub was sample code developed by an intern as part of a summer project 3 years ago. It is not actual Voatz code, nor is it used in any deployment of the current product.
What did the security audit involve?
The audit process covered a security evaluation of the various components of the Voatz platform:
The security testing performed focused on the top security flaws as reported by such organizations as OWASP, SANS, NIST, and MITRE. Leveraging proprietary methodologies, the auditors also tested for flaws outside of these lists of common and known vulnerabilities. The testing covered:
A comprehensive review of the Voatz source code was also conducted.
Who conducted the security audit?
Multiple, independent third parties are involved in conducting the security audit. A reputable pen-testing company was also engaged to conduct penetration testing on the system.
Voatz is also the 1st elections company in the world to run a public bug bounty program (for its upcoming releases) via HackerOne.
The following tools/services were additionally used for pen testing and ssl testing:
A team from the West Virginia Secretary of State office also conducted a physical office security review of the Voatz premises.
What was the outcome of the security audit?
The audit results were satisfactory with no blocking or critical issues identified. Various useful suggestions for improvement were received from the auditors and the county clerks. These improvements are in the process of being implemented over the course of the upcoming releases of the platform.
Will there be any more audits?
Yes. Security is not a destination, but an ongoing exercise due to the ever-evolving nature of threats, especially when it relates to our electoral infrastructure.
The Voatz team and our partners are fully committed to this process, and frequent re-audits will continue to be conducted, including for newer releases of the platform. Both Voatz and Hyperledger are additionally running bug bounty programs via HackerOne for all upcoming releases of the platform in order to ensure the highest quality and security for future releases of the platform.
Please see the "Resources" page for additional details regarding the ongoing bug bounty programs.
For more information on the West Virginia Pilot, see below:
For more information on blockchain, see below:
For more information on mobile security, see below:
Bug Bounty Programs (for future releases):