Senator Urges Cybersecurity Review of Mobile Voting App

An attempted hack of the mobile voting application used by West Virginia during the 2018 midterm elections has already spawned an FBI review, but now a prominent U.S. senator is urging a full cybersecurity audit of the technology.

Sen. Ron Wyden, an Oregon Democrat, wrote to the Department of Defense and National Security Agency last week to ask the agencies to conduct a full review of Voatz, the company behind the technology.

Voatz developed the mobile voting app to provide a way for overseas service members to cast ballots. The company said 144 West Virginians living in 31 different countries used the app to vote in the 2018 elections.

Wyden is concerned with the security risks of using the technology to cast ballots online and said Voatz has not been sufficiently transparent about its efforts to vet and safeguard the voting app.

“While Voatz claims to have hired independent experts to audit the company, its servers and its app, it has yet to publish or release the results of those audits or any other cybersecurity assessments,” Wyden wrote in the Nov. 7 letter. “In fact, Voatz won’t even identify its auditors. This level of secrecy hardly inspires confidence.”

Spokespeople from both the NSA and DOD said they are in receipt of the letter, but declined to comment further.

“We've received the letter and as with all congressional correspondence, we will respond directly to the author of the letter,” said a DOD spokeswoman. Last month, West Virginia Secretary of State Mac Turner said someone attempted unsuccessfully to hack the mobile voting system and data regarding the attempts was forwarded to the FBI. CNN later reported that the hack attempt may have been an attempt by University of Michigan students to research vulnerabilities in election security.

Responding to Wyden’s letter, Voatz issued a statement defending its cybersecurity efforts, noting that the attempted intrusion during the West Virginia election pilot was detected and stopped. The company said its app has also met the National Cybersecurity Center’s blockchain security standards and that ballot information is anonymized and encrypted.

Other local governments, including those in Colorado, Utah and Oregon, have also conducted their own pilots with the Voatz system.

Cybersecurity experts have warned against online voting systems, citing serious cybersecurity concerns. A 2018 report from the National Academy of Sciences said that at the present time, “the internet (or any network connected to the internet) should not be used for the return of marked ballots.”

Voatz said it has made open audit tools available to the public so that vote tallies can be independently verified. Denver piloted the technology this year, and Voatz said audits of the results found no issues with tabulation or ballot recording.