At the beginning of October, a story released by CNN claimed that a student affiliated with the University of Michigan attempted to hack into West Virginia’s blockchain-based voting system called Voatz. As per the report, the FBI is now actively investigating the matter and is looking to authenticate the veracity of these claims.
Voatz is a smartphone-based app that was used by the West Virginia government last year to collect ballots from its citizens that were either living overseas at the time or were stationed abroad for military purposes. The aforementioned disclosure was made by West Virginia Secretary of State Mac Warner, who claimed to have identified certain activity that he believes was geared toward gaining illegal access into the voting app’s mainframe operational module. In this regard, the Voatz app makes use of a plethora of personal ID-verification layers, such as facial recognition, thumbprints and voter-verified ballot receipts.
As a result of these developments, Warner recently went into damage control mode and stated that all of the digital safeguards (that had been created for the Voatz app) had worked as designed and that no votes had been altered, impacted, viewed or in any way tampered with.
However, to better understand the frailties of blockchain-based voting systems, CryptoX reached out to Barry Gitarts, one of the implementing developers of the voting decentralized application (DApp) for the Status network. He said that it has recently become popular to attempt to implement quadratic-based voting, even though it has some flaws:
“The biggest unsolved issue with these types of votes is that in order for the vote to not be prone to manipulation there has be to identity tied to the voters, otherwise some voters can get a disproportionate amount of voting power by splitting their tokens among multiple addresses and voting with them.”
Another interesting point of view was put forth by John Lloyd, the chief technology officer for cybersecurity firm Casaba Security. In his opinion, the question is not really about the reliability of blockchain-based voting systems in general but rather the transparency of the Voatz app itself. CryptoX spoke with Ivan Ivanitskiy, chief analytics officer at software solution firm SmartDec, who said in an email conversation:
“The very fact that the developer of the system cannot publicly prove that no vote was stolen (if this is the case) means that the whole idea of using blockchain is flawed. The killing feature of a blockchain for voting is publicity: in a correctly built system, anyone should be able to check that the results were calculated correctly.”
Lloyd told CryptoX that a number of researchers have found abnormalities with the program and that the company responsible for running the platform has not shared any of Voatz’s attestation documents or audit summaries publicly. He further pointed out that the Voatz blockchain is essentially a private hyperledger network that has less than 10 nodes — which led him to believe that the system is no more useful than a traditional database. Lloyd then went on to add:
“A blockchain running only provisioned nodes still needs those nodes to be exposed to the internet for people to vote. People attempting to compromise public facing applications is routine for any web application. The FBI is involved because of the target. You can’t ‘change votes’ after the fact. The target would have to be the voter’s mobile phone and then only when they have authenticated and are ready to vote.”
Ivanitskiy also mentioned that this past September, a blockchain voting system was used for the city of Moscow’s parliamentary election. The results statistically differed from the in-person voting count, which meant that the overall result was a bit distorted. Ivanitskiy then added:
“The blockchain part worked well, the problem was in the identification part. Blockchain is great for voting; however, identification is a complicated problem. We should not use any electronic voting system unless we are sure that identification works correctly.”
Blockchain in voting systems
It is important to distinguish between blockchain technology and the applications that make use of this framework. Simply put, blockchain allows for the creation of a datastore that is tamper-evident, and by distributing multiple copies of this tamper-evident datastore, the information automatically becomes highly resistant to the nefarious activities of third-party individuals.
Related: Will Blockchain Stop Personal Data Leaks?
This is because if one copy of the datastore is altered (in any shape or form), the change immediately becomes visible to all of the other participants of the network. Not only that, once an alteration is detected, it can be overwritten with one of the many copies that are not corrupted to bring the information back to its original state. To further elaborate on the subject, Jeff Stollman, a principal consultant at Rocky Mountain Technical Marketing, provided CryptoX with some insights:
“The problem with blockchain voting is the front-end application that manages the new data that is added to the blockchain. Blockchain technology does not stop someone from hacking the front-end application and altering the data (e.g., votes) before it is added to the blockchain. For example, it a fraudster is able to impersonate a legitimate voter (because he has stolen the voter’s credentials), he can vote in place of the legitimate voter. This has nothing to do with the blockchain.”
In relation to Voatz, since there has been no solid evidence to prove that the infiltration attempt in question was successful, it might be safe to assume that the hacker was seeking to access certain areas of data input associated with the app rather than the blockchain itself.
Additionally, since Voatz reportedly makes use of a permissioned blockchain consisting of a relatively small number of verifying nodes rather than a permissionless ecosystem, John Wagster — the co-chair of blockchain legal team Frost Brown Todd — believes the latter would be better suited for voting-related activities, as each transaction would need to be verified by a larger number of participants, adding that:
“No system is fool-proof, but the security in the Voatz application seems to have held up nicely even though it was designed for a permissioned blockchain. This looks more like an attempted break in than an actual break in.”
Was the Voatz incident a one-off thing?
A pertinent question that is bound to arise as a result of the aforementioned incident is whether or not more blockchain-based voting systems could be compromised in the near future. Virtually all of the so-called hacks related to this domain are not security lapses of the blockchains. Instead, they are hacks of the data or data relays that connect to the central blockchain ecosystem. On the subject, Wagster told CryptoX:
“Voting applications are actually an excellent use case for blockchain technology because they allow transparent, verifiable interactions between non-trusting parties.”
A similar sentiment was echoed by Henry Ly, project manager at cyber security and technology company OccamSec. In a conversation with CryptoX, he said that even though blockchain-based voting systems need additional verification protocols in terms of an assessment from a security vulnerability standpoint (as is highlighted by some of the blockchain hacks that have occurred recently), incidents such as these are nothing new. Every new technology, in his view, regularly goes through infiltration bids.
Ly further pointed out that hacking attempts are a daily occurrence on blockchain apps, but that doesn’t mean that such offerings don’t possess any long-term promise. He went on to add:
“Its highly impossible to build ‘foolproof systems.’ Given enough time and resources everything and anything can be broken into. Electronic voting and blockchain voting has a lot of problems but it holds some promise.”
Government-related blockchain use cases continue to increase
Even though critics continue to harp on the vulnerabilities related to blockchain tech, its global use cases continue to grow steadily. For example, Æternity, a decentralized application-focused blockchain venture, recently entered into an agreement with the Uruguay Digital Party in order to create a new platform that will allow Uruguayans to participate in a variety of local political decisions in a transparent, decentralized manner.
Similarly, the United Kingdom’s Food Standards Agency (FSA) announced last year that it had successfully completed a pilot program using blockchain to track the distribution of meat within the region.
Related: US Moves Closer to Accepting Blockchain, Still Uncertain Over Crypto
In the United States, a total of 18 states have, in some form or another, introduced legislation related to blockchain technology. Nine such bills have already become laws — for example, people living in Tennessee are allowed to use blockchain technology and smart contracts to facilitate their electronic transactions. In the same vein, a recent Wyoming law allows corporate entities to make use of blockchain to maintain their internal records.