Microsoft bets on ElectionGuard SDK to fortify election security Microsoft deepfake software combats election propaganda

Experts say mobile voting tech isn't the answer to COVID-19

Despite the mounting need for another alternative to in-person voting amid the COVID-19 pandemic, experts say mobile and online voting is just not ready for the general public.

Despite a need for alternatives to in-person voting during the COVID-19 pandemic, experts say mobile voting will not be ready for this year's general election.

Nearly a dozen pilot programs for mobile voting apps and internet voting portals have been launched across the U.S. in the last few years. And that was prior to the coronavirus pandemic, which postponed some state and primary elections this spring and caused concern over the safety of potentially crowded polling locations.

"It's pretty obvious that the coronavirus is making it difficult to have our standard election. That's having an even bigger impact in urban centers where voting lines can already last for hours and be quite packed. And people are looking for other ways we can have the constitutionally mandated vote without putting people at risk," said Jim Hendler, artificial intelligence researcher at Rensselaer Polytechnic Institute as well as a fellow at the Association for Computing Machinery (ACM).

Other ways can include mail-in and absentee ballots, but there's also the matter of mobile phone-based online voting, which has been demonstrated in various pilots across the country to varying degrees of success. In most cases, small elections that utilized mobile voting options went by without any noteworthy issues.

But mobile voting technology has come under new scrutiny this year as the infosec community has warned of vulnerable code, insufficient security controls and a lack of proper vetting and testing, which would make such apps ideal targets for threat actors.

I think there are a lot of challenges and I think mail-in ballots are absolutely the best thing we can utilize right now in a pandemic.
Tony ColeCTO, Attivo Networks

On paper, it might seem like COVID-19 has created the ideal opportunity to introduce online voting options that utilize the millions of mobile phones and tablets in U.S. voters' hands. However, there are still questions of whether the country is ready to utilize mobile voting at scale and whether the technology is secure enough. The answers received from experts who we discussed the matter with were consistent: Not yet.

The current state of mobile voting

There are a number of mobile voting vendors on the market, including Voatz Inc., Scytl Secure Electronic Voting and Democracy Live, and pilots have been carried out in states, cities and counties across the country, including King County, Wash.; Jackson County, Ore.; Utah County, Utah; Denver; West Virginia; and more.

Prior to the pandemic, proponents of mobile and online voting pitched the technology as an aid to certain voter demographics that traditionally had difficulties reaching the polls or filling out ballots.

While mail-in voting was frequently discussed as the best remote voting option, it's not a perfect replacement for in-person voting, said Sheila Nix, political strategist and president of Tusk Philanthropies. Nix works with the Mobile Voting Project, a nonprofit organization created by Tusk Philanthropies that teams up with mobile voting vendors to run pilots and push mobile voting into the future. Nix9 cited two groups that struggle with mail-in voting: deployed military personnel (as well as their families) and people with disabilities.

Some advocates for mobile voting see it as one more of an option for voting rather than an outright replacement to traditional voting formats. "It seems to me that we need to have a combination of expansion of vote by mail and mobile voting for those who need it most," Nix added.

Hilary Braseth, chief of staff at mobile voting company Voatz, agreed with this, saying that it's one more option, not a replacement. 

"We have to be looking to the ways that technology can be safely and responsibly integrated into our infrastructure so that people have an accessible, remote option to participate in our democracy," she said.

Voatz mobile voting app
Voatz's mobile app allows users to cast votes on digital ballots, though MIT researchers found the technology had several vulnerabilities and security weaknesses.

But efforts to advance mobile voting appear to have stalled somewhat recently. In February, a team of researchers from the Massachusetts Institute of Technology (MIT) published a technical paper that found several vulnerabilities and security weaknesses in Voatz's app that could be exploited to block and even change votes, and also cast doubt on its purported use of blockchain (Voatz disputed the allegation). Voatz executives acknowledged some of the security issues but blasted the MIT research team for not using the company's bug bounty program hosted by HackerOne and claimed the researchers were trying to spread fear and confusion through the media and "deliberately disrupt the election process."

However, many security researchers criticized Voatz's response to the MIT report and its interactions with the researchers. Later, HackerOne cut ties with the mobile app vendor, citing Voatz's history of confrontations with the research community, and West Virginia announced it had discontinued its pilot program with Voatz.

The episode brought the infosec community's concerns with mobile and internet voting to the forefront, and many experts have cautioned against efforts to ramp up the technology for elections this year to alleviate the strain caused by COVID-19.

Tony Cole, CTO of threat detection vendor Attivo Networks, said deploying mobile or online voting platforms poses enormous risk in light of recent attacks on election systems from Russian state-sponsored hackers.

"I think if we continue down this path of mobile voting, we're going to have significant issues if we have any large effort for mobile voting in any state. We have adversaries already that are focused on disrupting our infrastructure for voting," Cole said. "There are things they could do to the critical infrastructure to disrupt mobile voting. I think there are a lot of challenges and I think mail-in ballots are absolutely the best thing we can utilize right now in a pandemic."

Bill Harrod, federal CTO at endpoint security vendor MobileIron, agreed. "No, we're not ready for mobile voting. Are we close? It's hard to say."

Challenges associated with mobile voting

Hendler pointed out three major issues with voting via mobile devices as the process exists today: the threat of hacking; the idea that newly deployed code "always has problems;" and that while there are many apps people can use for online transactions like banking and commerce, large amounts of money have been put into those systems -- and haven't yet been put into online voting technologies.

"We really don't have the cyber-responsiveness we need," Hendler said. "If we had a federalized voting system that could be deployed at scale, it's conceivable you could get something worked out."

In the case of newly deployed code always having problems, Hendler and others pointed to the Iowa caucuses, where an app that was used to just tally votes (which is not a voting app but has impacted the mobile voting industry's reputation as a whole) had significant issues due to a "coding issue," according to Iowa Democratic Party chairman Troy Price, which delayed results.

Harrod pointed to self-validation as a potential challenge associated with mobile voting.

"Going to a website to cast a ballot is still really fraught with risk. And I don't think that's the way that we'll eventually have electronic voting. Whether it be that I fill out a paper form and take a picture of it and send it in, I need a way to be able to validate for myself that what I intended to vote for is what is actually there and that that's what's transmitted and counted. And so, voting on the device and then having some sort of record of how the votes are aggregated and counted needs to be a part of the equation for moving [toward being] able to vote by mobile device."

There are other concerns beyond not having paper ballots or receipts. Kunal Anand, CTO of web application firewall maker Imperva, added that not being able to see votes being cast is why many people distrust mobile voting.

"It's something that, once done, it isn't necessarily auditable," Anand said. "And I think what's really interesting is it's not like we don't have the technology to do this. We have the technological pieces to solve these technical problems. We just haven't put them together yet. And we haven't done a good job of evangelizing it and doing it at scale."

We are of the belief that we have to roll this technology out in step-by-step, responsible ways.
Hilary BrasethChief of staff, Voatz

Braseth pointed out that security is only one side of the election equation that needs to be figured out.

"It is inadequate for us to only be talking about election security," she said. "Election security is incredibly important, but we have to pair that with election resilience and we have to aim as a structure for resilience. Because in situations like a pandemic or a natural disaster, if our infrastructure cannot accommodate a reality where it is safe to show up to a polling place, the result could be catastrophic for our society."

For now, Hendler said, the best approach for remote voting is mail-in paper ballots rather than digital solutions.

"In my viewpoint, the current state of mobile voting is that we are not ready to deploy it at scale, that it has significant technical and socio-technical aspects, particularly cybersecurity, that we need to worry about, and that there are alternatives. Mail-in, we [at ACM] believe, is a clearly preferred technique," he said.

If not November, then when?

Even Voatz, arguably the most well-known mobile voting startup, doesn't believe the technology is ready for widespread deployment this year.

"I don't think it is a realistic probability, at least, this calendar year," Braseth said. "It would be irresponsible for us to scale this nationwide before November. We are of the belief that we have to roll this technology out in step-by-step, responsible ways."

While Nix seconded that mobile voting is likely not a one-year project, she expressed frustration with the security community saying that some are against mobile voting without having an active desire in "here's how it can be made better."

"I don't get the sense that some of the security advocates are really interested in solving the long-term problem of voter turnout and they're solely focused on the narrow security piece," she said. "I think we really need to do both if we're going to have a less polarized democracy than we do now."

We asked four of the interviewed parties for a timeline of when they think mobile voting will be ready for a general election. Estimates ranged from an optimistic four years to Cole's estimate of "at least a decade."

Hendler came out strongly against the use of mobile voting options in the short term, saying on behalf of ACM that, "We are working hard as an organization to get the word out to states, counties, municipalities that are thinking of using these things to say that this is dangerous, this has threat to our democracy; we really hope it won't be used."

That said, when asked what it would take for mobile voting to become the dominant form of voting, he answered, "What would it take? The answer is a miracle."

Dig Deeper on Security operations and management