A Word for Voatz

Years ago, Follow My Vote set out to build a cryptographically secure, end-to-end user-verifiable online election system. We eventually realized that while blockchain technology provides an excellent foundation for the back end of such a system, our current technologies are simply not adequate to support the full extent that is necessary to bring such a system to the world, and that new technologies will be necessary to replace some of the solutions used to create practical and functional systems today.

As we are researching and developing new platform technologies necessary to someday support the development of online voting systems, we take note of others in the industry working toward such systems; especially those also using blockchain technology.

One such company is Voatz, and today I’d like to highlight their efforts and share some thoughts about their work. Let me preface this by saying that this is just one man’s opinion and perspective. I have no affiliation with Voatz, and have not closely examined their work. My words here should be viewed merely as the casual commentary of an interested bystander.

Voatz is working on solutions for an online voting app using blockchain as a durable record of the election procedures and results. They are developing the procedures and workflows necessary to conducting an online election, and creating the tools and interfaces to administrate and participate in such an election, and showing the world what it could look like.

In the course of developing these procedures, Voatz ran a pilot of their app, giving voters and administrators alike a taste of what online voting could be like, and sometime thereafter, they came under fire for the security stance of their pilot system. A team of advanced security researchers at MIT wrote a paper decrying the Voatz pilot as an insecure approach to online elections and warning the public that such solutions cannot be trusted to uphold the operations of modern democracy. Shortly thereafter, security firm Trail of Bits published a report outlining vulnerabilities in Voatz’ application and infrastructure in greater detail.

These events seem to have led to a great deal of uncertainty and doubt of Voatz’ suitability as a provider of solutions in the elections space. If their pilot was so insecure, can the company be trusted to produce solutions for use in secure elections?

As one trained in the same kind of cybersecurity analysis and techniques as were employed by the research team at MIT, I would like to share my view on these events. Elections are enormously complex endeavors that require coordination of many people and organizations, and this succeeds today by using various different procedures and methods, but a transition to online voting will massively disrupt these procedures, and nobody is yet sure how that can possibly work. Voatz is helping to find ways that it can, even while the full security architecture of a final solution is still uncertain. To do this, Voatz is working with security standards well understood by the industry today, building voting system demonstrations based on the standards we might expect from existing major tech companies.

The MIT review raises legitimate concerns about the viability of Voatz’ approach for secure elections. In a sense, the MIT researchers are pointing out that while they themselves don’t know what the security architecture of a fitting solution for online elections would be, they can clearly see that the Voatz approach isn’t it. And while this may be true, it completely misses the value of Voatz’ contribution. Voatz is showing us how online elections can look, even before the full picture of how they can work comes into focus. It doesn’t exhibit the final security architecture, and it doesn’t need to: Voatz is building to the security standards we understand today to show us how the final solution could look tomorrow.

Meanwhile, the Trail of Bits report was commissioned by Voatz to evaluate the security of their pilot against the standards Voatz was aiming for, and the vulnerabilities disclosed by that report, while serious in nature, are not fundamental flaws, and should be relatively easy to fix.

In conclusion, we at Follow My Vote are grateful to Voatz for the work they are doing to further the conversation on how online voting solutions may look in the future, how online elections can be orchestrated, and what it will be like to participate in them. We look forward to seeing what they produce next, even as we are researching and developing the foundations and underpinnings that will eventually enable applications to be deployed meeting the full security, privacy, and end-to-end verifiability requirements necessary to support modern political elections online.