The app is designed by the Voatz company, whose technology has so far been tested in West Virginia, Colorado and Utah.
“We want to be clear that all nine government pilot elections conducted so far, involving fewer than 600 voters, have been conducted safely and without reported problems,” Voatz said in the statement. “The real goal of the researchers is to deliberately end the electoral process, sow doubts about the security of our electoral infrastructure and spread fear and confusion.”
The report emerges amid growing concerns about the use of online voting apps and tools in the 2020 election following the failure of reporting tools in Iowa caucuses.
Last year, Utah County, Utah, started using Voatz for disabled and military voters based abroad. In an interview, county secretary Amelia Powers Gardner said that Voatz made more sense than the previous system, which required remote voters to send their ballots via email.
A review of Voatz’s implementation in Utah County – before the MIT report was released – revealed no problems, Gardner told CNN. Gardner said that in telephone conversations with MIT researchers, it became clear that they preferred to vote traditionally, with pen and paper. But Gardner said it is not feasible for Utahns living abroad.
“I have a legal obligation to provide our military members abroad with an electronic form of ballot,” he said, “and if that’s not it, it’s the email – which they agreed isn’t so secure.”
The researchers’ conclusions about the security risks in the app were based on a retro-engineered version of Voatz’s Android app, which ran in a simulated environment. According to the study, a hacker who gains control of a smartphone with the app installed could interfere in the voting process by altering the ballots or finding out which candidate supports a voter.
“Which means they could stop the vote if they knew you would vote for someone they didn’t like,” Mike Specter, one of the report’s authors, told CNN.
Other electoral security experts who have reviewed the MIT document say it looks solid.
“This MIT study appears to have been carefully structured in the way the analysis was conducted,” said Andrea Matwyshyn, an electoral security expert at Penn State University.
“We already have this server available,” said Nimit Sawhney, CEO of Voatz. “It’s for our public bug reward program. Anyone who wants to sign up, test the apps over there, against the full-featured real server, can.”
The company declined to comment further.
While participating in the bug bounty program would allow researchers to verify how the Voatz app interacts with the company’s servers, the law largely prohibits researchers from testing the servers themselves, said Eric Mill, a cybersecurity expert who administered technology programs for the federal government.
“The fact that the app is talking to the server is not the same as giving permission to search for the real server,” said Mill.
Instead, they reported their findings to the National Security Department, which routinely acts as a clearinghouse for electoral integrity information.
Voatz said Thursday that MIT researchers should contact them, despite their concerns about handling Voatz’s previous research efforts. He also claimed to have signed non-disclosure agreements that prevent the company from discussing many of its previous audits, although he acknowledged that DHS had carried out its own audit.
The tension between Voatz and independent security experts isn’t surprising, Mill said. But he added that the industry trend in recent years has tended towards greater disclosure and openness, not less – highlighting Voatz’s reaction to the report. It also stresses a common misconception that greater secrecy leads to greater security, he said.
“That basic feeling of security through the dark, that you want to release as little detail as possible to give your attacker as little information as possible, is a very common instinct for many lay people and in some cases by technologists,” he said. Mill. “It comes from fear and perhaps does not understand or appreciate the role of the public in guaranteeing defense.”