Arthur T Knackerbracket has found the following story:
Flaws in the blockchain app some states plan to use in the 2020 election allow bad actors to alter or cancel someone’s vote or expose their private info.
Security researchers have found key flaws in a mobile voting app that some states plan to use in the 2020 election that can allow hackers to launch both client- and server-side attacks that can easily manipulate or even delete someone’s vote, as well as prevent a reliable audit from taking place after the fact, they said.
A team of researchers at MIT released a security audit of Voatz—a blockchain app that already was used in a limited way for absentee-ballot voting in the 2018 mid-term elections—that they said bolsters the case for why internet voting is a bad idea and voting transparency is the only way to ensure legitimacy.
West Virginia was the first state to use Voatz, developed by a Boston-based company of the same name, in the mid-term election, marking the inaugural use of internet voting in a high-stakes federal election. The app primarily collected votes from absentee ballots of military service personnel stationed overseas. Other counties in Utah and Colorado also used the app last year in a limited way for municipal elections.
However, despite the company’s claim that the app has a number of security features that make it safe for such an auspicious use—including immutability via its use of a permissioned blockchain, end-to-end voting encryption, voter anonymity, device compromise detection, and a voter-verified audit trail–the MIT team found that any attacker that controls the user’s device through some very rudimentary flaws can brush aside these protections.
“We find that an attacker with root privileges on the device can disable all of Voatz’s host-based protections, and therefore stealthily control the user’s vote, expose her private ballot, and exfiltrate the user’s PIN and other data used to authenticate the server,” MIT researchers Michael A. Specter, James Koppe and Daniel Weitzner wrote in their paper (PDF), “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S.Federal Elections.”
[...] One voting district in Washington state—Mason County–already has pulled its plans to use Voatz in November, according to the New York Times, while West Virginia is moving ahead with its plans to expand Voatz used to disabled voters, the paper reported.
(Score: 3, Insightful) by FatPhil on Monday February 17 2020, @01:33AM (3 children)
At least one of these must fail to hold
1) you can verify your vote is on the record
2) you can verify your vote was counted for the right party
3) your vote is anonymous
Paper votes preserve anonymity, and the literal paper trail can be observed end to end. ("My vote is in the box that arrived at the counting office" + "the count can be verified" provide (2) above.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by sjames on Monday February 17 2020, @02:14AM (2 children)
I can think of ways to make those requirements hold, but they would require an unrealistic level of technical sophistication on the voter's part.
(Score: 2) by dry on Monday February 17 2020, @06:10AM (1 child)
4) the voters have to trust the voting procedure.
This may be the most important. Pen and paper along with ballot boxes you can observe and an open count is easy to trust, even for the most non-technical whereas any blackbox, even one that worked perfectly, is still a blackbox.
(Score: 2) by FatPhil on Tuesday February 18 2020, @11:38AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves