WV’s mobile voting draws security concerns, criticism

August 10, 2018

HUNTINGTON — A groundbreaking move by West Virginia Secretary of State Mac Warner to allow overseas military members to vote using a mobile app is drawing criticism and concern from national security cybersecurity experts.

West Virginia became the first state to allow mobile voting in May by allowing active duty West Virginians overseas, including their spouses, from Harrison and Monongalia counties to vote in the primary election using a mobile app by the company Voatz. The hope is to have the program expand to all counties by November, but it will be up to the individual counties whether they utilize the program.

Warner, a U.S. Army veteran, said he knows how cumbersome it can be for overseas military members to vote, which results in low voter turnout among military members.

“Whether a soldier is without mail service in the mountains of Afghanistan or a sailor is in a submarine under the polar icecap, they deserve the opportunity to participate easily in our democracy. They should have a voice in choosing who sends them into harm’s way,” Warner said in a March press release announcing the pilot program.

Only a handful of people reportedly used the app in May. Warner’s office told cable news outlet CNN four audits of various components of the tool, including its cloud and blockchain infrastructure, revealed no problems. Those audits can be found on Voatz’s website at www.wvexperience.voatz.com.

The app uses a combination of biometrics, like thumbprints, cryptography and blockchain, to make it secure. Blockchain is a digital ledger that tracks transactions, or in this case votes, in a way that is very hard to alter thanks to peer-to-peer monitoring and the way the chain of data is configured.

Despite the technology and security audits, some national security experts are skeptical, with one telling CNN mobile voting is a “horrific idea.”

“It’s internet voting on people’s horribly secured devices, over our horrible networks, to servers that are very difficult to secure, without a physical paper record of the vote,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, told the network in an email.

John Sammons, director of the digital forensics and information assurance program at Marshall University, said blockchain technology is good in theory, but he’s not sure if employing it on a large scale is feasible.

“Security is relative,” Sammons said, using the hacking of J.P. Morgan Chase and government agencies as examples of how even the top security measures can be penetrated. “It all depends on who the adversary is and how bad they want in.”

Sammons said with all the different types of phones with varying hardware and security designs, it would be easy to lose control of the app.

“It’s already a fact that one of our biggest adversaries, the Russians, have extensive cybersecurity capabilities and are interested in influencing our elections,” he said.

Sammons was encouraged, however, by Voatz and the secretary of state’s security audits.

“It’s starting in the right place, that’s for sure,” Sammons said. “But security is not static. It’s always evolving. Code will change. Hardware will change. It’s something that has to be ongoing and continuing. But it’s encouraging they have done this. At least they are moving in the right direction.”

In the end, Sammons said when considering expanding mobile voting, people have to think if the reward is worth the risk.

“If you roll this out nationwide and it’s compromised by Russia, is there a backup plan if they get inside? Is there another way to validate this?” he said. “Pilot programs like this kick the tires and enable this to be rolled out on a grander scale. At least West Virginia is stepping up to the cause.”

Follow reporter Taylor Stuck on Twitter and Facebook @TaylorStuckHD.

“Pilot programs like this kick the tires and enable this to be rolled out on a grander scale. At least West Virginia is stepping up to the cause.”

John Sammons

director of digital forensics and information assurance at Marshall University

Update hourly