Saltar al contenido

The chaos in the Iowa Caucus is likely to delay the mobile vote

MIT researchers say the mobile voting application tested in the US is full of vulnerabilities

While the app used to count votes in the Iowa Caucus on Monday, it was not a mobile voting app, yet it could undermine confidence in any future attempts to implement the technology.

A coding flaw and a lack of sufficient evidence of an application to register votes Monday in the Democratic Presidential Caucus in Iowa will likely affect the advancement and acceptance of online voting.

While there have been hundreds of tests of online and mobile voting platforms in recent years, mainly in the election of small municipal or corporate shareholders and students, online voting technology has not yet been tested for widespread use by some the general public at national elections.

«This is one of the cases where we avoided a bullet,» said Jeremy Epstein, vice president of the U.S. Technology Policy Committee for the Association of Computing Machines (USTPC). «The Iowa Democratic Party had planned to allow voters to vote in the caucus using their phones; If this type of collapse had happened with real votes, it would have been a real disaster. In this case, there are simply delayed results and balls in front of the people who built and bought the technology. «

The vote counting application used yesterday at the Iowa Caucus was created by a small Washington provider called Shadow Inc .; The application was partially funded by a progressive nonprofit digital strategy company called Acronym. Today, Acronyn sought to clarify in a tweet that it did not provide the technology for the Iowa Caucus and that it is nothing more than an investor.

Last year, the Democratic Party of Iowa (IDP) paid Shadow Inc. over $ 60,000 for a website that was going to upload the results of the caucus, which it couldn’t do exactly yesterday. The problem with the Shadow application was attributed to a «coding error» that has been fixed since then, IDP said in a statement. The results of the caucus were to be published later today, according to PDI.

IDP said it had established «with certainty» that the basic data collected through the application was accurate and robust, but that it was only partially reported.

«We have every indication that our systems were secure and that there was no intrusion into cybersecurity. In preparing for the meetings, our systems have been tested by independent cybersecurity consultants, «Iowa Democratic Party President Troy Price said in a statement.

Shadow Inc. he apologized for the failure in a series of tweets.

The Nevada Democratic Party, which had planned to use the Shadow app, said in a statement today that it was abandoning it.

As the desire to increase voter turnout remains strong and the number of online voting pilot projects is growing in the US and abroad, some security experts warn that any internet-based electoral system is open to attack, regardless of basic infrastructure.

«There is another nail in the coffin of internet voting. If a provider can’t come up with a relatively simple application like this, what are the chances that they can get a much more complicated voting system, right? «Said Epstein.» Voting systems require the precise identification of voters and the secret maintenance of the ballot, while protecting against malware on voters’ phones and attacks on servers, and everything else this system needs to do is capture some values ​​and send them to a server, which had to be protected from attacks. I hope that the people responsible for selecting this application will learn a lesson. «

Others believe the push for the Iowa Caucus disaster will dissipate if «good enforcement is applied» and can be used to vote effectively, according to Jack Gold, chief analyst at J.Gold Associates.

«I have to believe that this was never tested in a real world setting before it was used in caucuses, otherwise it would have known about the problems in the application,» Gold said. Was he in a hurry? Didn’t they go to a competent application builder? Did they specify the application incorrectly? Did the user interface really work? There are many questions that need to be answered in this regard.

«Will this have a long-term negative effect? Probable. Advertising in this area will cast some doubt on public confidence in mobile voting. «

While mobile or online voting applications promise to open the ballot boxes of absent voters and make voting more accessible in general, security concerns have been at the forefront of election officials since Russia’s intervention in the race.

Tusk Philanthropies, a nonprofit organization that promotes mobile voting and has funded previous projects supported by two vendor platforms, reacted today to an IDG video about online voting, saying their providers’ technology has been tested and used successfully in hundreds of elections. .

«It is disappointing to see an election company implementing something so random in such a significant election,» the company said in a statement. «We know how important it is to test new technologies and train officials, which is why our salespeople do everything they can … to ensure a smooth and successful choice. We started this work to increase the number of people voting in elections. Americans, because we believe that low turnout is the biggest threat to our democracy …

«As far as we know, the application used in the AI ​​Democratic Caucasus was new, untested and secretly created,» Tusk continued. «This could not be in starker contrast to the eight drivers we completed in a transparent, safe and secure manner.»

Tusk Philanthropies has been an advocate for the Voatz and Democracy Live mobile voting applications, which are currently used in the election of a Seattle Board of Supervisors.

Tusk Philanthropies wanted to «clarify» that Shadow Inc. it is not «actually a mobile voting option or application».

«There will be many calls for us to return to the ballot paper today, but we must not forget that the ballot papers have brought us clogs and the war in Iraq. Or that insecure voting machines are also vulnerable to hacking, «a Tusk Philanthropies spokesman said in an email. «We need to stop relying on outdated voting approaches, such as gym meetings or getting people to gather around a pile of voting machines in the school basement.»

Critics of online or mobile voting, including security experts, believe it opens up the possibility of server penetration attacks, client device malware, denial of service attacks and other disruptions – all associated with infecting users’ computers. Voters with malware or computer infection. in the polling stations that manage and count the ballots.

The problem with online voting is not that it is more or less secure than current voting systems; it’s more about public perception and how it can affect turnout, according to Julie Wise, Seattle’s election director for King County.

«I don’t think they’re ready for that,» Wise said in an interview last week. «The most important thing for conducting elections as an administrator is the trust of voters and trust in the electoral system. There is an understandable concern about electoral security and piracy on the Internet. «

Atif Ghauri, leader in cybersecurity practices and director of global consulting for Mazars USA, said the ubiquity of mobile devices has created a new massive frontier for cyber threats on mobile applications from Shadow Inc. and from any other mobile application provider.

«The public’s concern is certainly justified, because mobile applications expose not only software threats, but also location-based threats based on the physical location of the device. Knowing the specific GPS coordinates adds another dimension to the attack «, said Ghauri by e-mail. «The use of mobile devices by those who are less skilled or more technology-conscious also increases the likelihood of an attack.»

There are strategies that mobile voting providers and public officials can adopt to alleviate public concerns. First, Ghauri said, is the use of multi-factor authentication to provide biometric recognition, such as a facial or fingerprint, and a user password, all of which reduce the possibility of security threats. Using a blockchain registry for transactions will substantially help the integrity of transactions, Ghauri said.

There are a small number of mobile voting platforms, including Democacy Live, Voatz, Votem, SecureVote and Scytl.

The Voatz mobile application uses the blockchain as an immutable electronic register to record the voting results.

In a blog post, Voatz said he had never heard of Showdow Inc. or his technology and quickly moved away from the Iowa caucus.

«And using an application to tabulate caucus votes in person is not a mobile vote,» the company argued. «Voatz is a mobile electoral platform created to ensure an accessible and safe voting method for groups that otherwise struggle with the voting options currently available (for example, foreign nationals, seconded military and voters with disabilities). We are in the industry for [cinco] years and I made more than 50 safe choices. «

Voatz said he is working with the Department of Homeland Security, the Cyber ​​Security and Infrastructure Agency (CISA) and other independent third parties to test the security and infrastructure analysis of his application.

Democracy Live’s OmniBallot web portal does not use the blockchain as a basis for collecting and securing electronic ballots. Instead, it uses Amazon Web Services (AWS) object blocking, which is NIST-compatible and FedRamp-certified, a government program that provides a standardized approach to security assessment, authorization, and ongoing monitoring of cloud services.

The OmniBallot portal has run in more than 1,000 elections in the United States and has been used by 15 million voters in hundreds of jurisdictions since 2008, according to the company.

«The bottom line is that if you’re deploying a mission-critical mobile app, especially one with this public visibility, it’s a good idea to test it and make sure it works as expected and fully loaded (not just on your smartphone). someone in the office), «Gold said.