On Thursday morning, The New York Times ran a story about how MIT researchers found alleged flaws in the Voatz software used to support overseas military voters from West Virginia. Voatz has great success with mobile voting in multiple precincts around the country with no security problems. The terrible way in which the Iowa caucus vote reporting app was implemented with woefully inadequate testing and training was a rallying cry to researchers to find something wrong with Voatz. Researchers can be very helpful, but only if their approach to the research is itself beyond critique. It is not always the case.
Like many negative stories about Internet voting, the Times cited an experience with TrustTheVote software used by Washington, D.C. in 2010. The city technology team which implemented the voting system found a problem with the router which connected the voting server to the Internet. Perhaps because of time constraints, the router was replaced with a new one without setting a strong password. Protection of the voting server was limited to a default, out of the box, password which a high school kid could easily guess. When the voting server was turned on to the public for testing, with no security testing, researchers from the University of Michigan were able to break in to the server within minutes. Rather than quickly and discreetly work with the Washington technology team to fix the problems, the researchers caused the voting system to play the University of Michigan fight song each time the voting system’s integrity failed.
Is that research? Was the goal to help advance Internet voting for the benefit of the millions of voters who are disenfranchised by our 150 year old system, or was it to gain notoriety and bragging rights by taking down a poorly implemented voting server?
In the case of the MIT researchers and Voatz, there is much to question about their “research” approach. Suppose Apple found some bugs in release 10.0 of its software which they fixed in release 10.1. Suppose researchers decided to evaluate Apple’s software and, to do so, they elected to test the release 10.0, and then reported the bugs Apple had already fixed. Is that helpful research? In the case of Voatz mobile Internet voting software, the MIT researchers analyzed an Android version of the Voatz app that was at least 27 versions old. The software they reported on was never used in an election. The researchers did not have access to the Voatz server, so they created one which they believed would work like the Voatz server.
Research? Had the researchers taken the time, like nearly 100 other researchers who evaluated Voatz software, to test and verify their claims using the latest version of the Voatz platform, the outcome of the research would have been quite different. The MIT researchers did not inform Voatz of their testing nor offer to collaborate for the benefit of disenfranchised voters. Instead, they chose to remain anonymous and seek media attention around their findings.
The leadership of the Democratic caucus did a terrible disservice to American democracy. With people already skeptical of Internet voting, the experts are now piling on saying “See, we told you so. Don’t even consider Internet voting”. The anti-Internet voting activists do not seem to be interested in the 100 million people in 2016 who could have voted but did not.
West Virginia has not received much press coverage on the great leadership it has provided in this area. The state wants to make it easy for military and disabled citizens to vote wherever they may be. Rather than roll it out at the last minute with no testing, West Virginia worked with Voatz to thoroughly test the mobile voting system. Voter satisfaction with Voatz Internet voting was high, and the vote was accurate and secure.
Voatz has been very progressive and open in their testing approach. They established a public bug bounty program two years ago. Nearly 100 researchers helped the company find bugs. They were paid a bounty for bugs they found. The MIT researchers could have joined the public bug bounty program. Instead they chose a sneaky approach and tested out of date software and gave the results to The New York Times.
America has the best researchers in the world. They can help make Internet voting a great success which would strengthen our democracy. The goal should be enabling people to vote conveniently, securely, privately, accurately, and with verifiability. This can be done as Voatz has demonstrated. Come on researchers, let’s collaborate to make it even better.
Disclosure: I am not an investor in Voatz or any other Internet voting company. I do not receive any fees of any kind for what I say or write about Internet voting.