Two days after May’s city elections, Denver’s Elections Division held a low-profile audit of key parts of America’s most radical new voting system.
Over several weeks, 119 residents who were overseas had been using their smartphones to identify themselves and mark and submit their ballots online via blockchains, an encryption and storage method. The voters would get an emailed receipt listing their ballot choices, and later a survey asking what they thought about smartphone voting.
Denver and its technology and philanthropic partners were not just showing how they served overseas voters. They were presenting an unprecedented digital evidence trail, as there had never been a similar open audit of ballot receipts, ballot images and voting data kept on blockchains. The city was showing how far smartphone voting had come — an internet system whose proponents envision millions of Americans eventually using, but one that critics maintain is inherently untrustworthy.
The demo did not resolve that divide, a debate where opponents talk past each other, level charges and present irreconcilable views. But Denver’s smartphone voting pilot offered a remarkable glimpse into where progress is and isn’t happening, what criticisms are more and less legitimate, and where smartphones may or may not fit into America’s voting repertoire.
What are we seeing?
The demo took part in an open-air atrium of a government building near the state Capitol and was broadcast live on Facebook. City officials, the mobile voting app developer — Voatz, supporters from a foundation and nearby think tank sponsoring aspects of the pilot, and others — including a few critics — sat in rows facing a large monitor screen. There had not been an internet voting demo like this in the U.S. for years, where, in addition to those present, a few outsiders were given access to the same records, decrypting tools and servers to assess the internet system’s ballot-handling and accuracy.
“We will be live auditing the ballots cast through the blockchain against voter-verified digital receipts in today’s audit,” Denver Elections Deputy Director Jocelyn Bucaro said, before introducing Forrest Senti, director of business and government initiatives at the National Cybersecurity Center, a new think tank, to lead the demo. She welcomed Voatz’s team, officials from Tusk Philanthropies including its president Sheila Nix, who had been Jill Biden’s White House chief of staff, local and state election officials, and scores watching online. NCC and Tusk helped plan and fund aspects of the pilot and blockchain audit.
“We conducted this pilot for two main reasons,” Bucaro said. “One, we wanted to provide a more convenient method for our military and overseas citizen voters to cast a ballot in the election. And second, we wanted to enhance a secure return method for those voters voting from overseas. So this audit today is key to that security feature, offered through the blockchain. We’re very excited about both the transparency and auditability that a blockchain-based voting method provides.”
Senti explained that the audit had two parts. (Online slides and video also laid out the process.) In short, observers would see selected cutting-edge elements of the latest smartphone voting technology.
The monitor had three columns with different ballot records from the same voter, Senti said. The left panel was a blur — lines of 44-character code, with each line referring to a voter but masking their identity. In the center was an image of the receipt that had been emailed to the voter after they used the Voatz app to mark their ballot. The receipt looked like a regular ballot with candidates and ovals, but it only showed their votes and coded identifier. To the right was an image of their entire ballot with the encoded ID on top, and filled-in and empty ovals below. That image was what officials had received, printed, scanned and counted like the rest of the city’s ballots. These records were from the voting process’s starting and finish lines. They had to match, and, as seen, did.
“The next part of this demo is the actual blockchain record,” said Senti, who brought up a new window on the right. It was the “blockchain viewer.” This was software created by Voatz to access votes from a single ballot, which had been encrypted and stored online in separate pieces and places — the blockchain. The viewer showed more lines of scrambled letters and numbers. One paragraph had to be copied, decoded by other software in another window, and copied into yet another window, a table, where after more decoding, the name of chosen candidates or ballot questions stances would appear (such as decriminalizing psilocybin mushrooms). After these complex steps, the decoded votes lined up — matching the ballots.
The demo took 22 minutes. Only a few of the 119 overseas ballots were audited. It ended with Bucaro and Senti reminding those present that they could independently take these same steps with all of the ballots if they signed up (including agreeing not trying to sabotage Voatz). No one in the audience asked questions, but those present lingered to talk about it.
Though everyone was polite, differing perspectives emerged.
Bucaro, a focused and intense young woman, was asked how this process provided assurance. In elections, there is the notion that all forms of voting have some level of risk. Why was this good enough?
“We’re verifying several things here,” she said. “We’re verifying that from the voter’s device, to the chain, there was no malfeasance — there was no interruption of, or disruption to, the data. We’re ensuring that the data extracted from the blockchain is accurate. And we’re ensuring that the data was tabulated correctly in our tabulation system. We’re verifying every point of entry and every potential risk area that we have the ability to do, which is certainly more than through other traditional [audit] methods.”
That last comment was intriguing. Colorado was a national pioneer in voting by mail. When asked if the app and blockchain method was more traceable than the vote-by-mail system—where officials lose track of a voter’s ballot once it is removed from an envelope (after a signature on the outside has been vetted), or its practice of sending and receiving ballots by email to the overseas voters — Bucaro did not hesitate.
“Yes,” she quickly replied. “It gives us more data points where we can test and ensure that things happened correctly.”
But not everybody present saw the demo so enthusiastically.
“It utterly failed to produce any confidence in the accuracy or relevance even of the data we were being shown — clearly all images,” said Harvie Branscomb, a longtime Colorado election integrity activist who, like many opponents of electronic voting, believes that there is no substitute for hand-marked paper ballots as the basis for verifiable election results.
“There was hardly any reference to how you would use that data to find a piece of paper that was supposedly behind it,” he said. “In the case of the presumably voter-verified data, that stuff was probably never on paper.”
Branscomb, a semi-retired computer-marketing consultant with a graying ponytail who has spent years on improving audits and is highly regarded in activist circles, was as articulate and adamant as Bucaro.
“We are not going to call this an audit at all, because our understanding of an audit is that you look at the paper that was voter-verified, and that doesn’t exist in this particular model,” he said. “The process that they proposed for doing what I’d call the review was preposterously complex… if someone on the inside actually wanted to make changes, obviously they’d have plenty of ways to interfere where I would be seeing false or twisted election data and not know it. Where is the auditability in that? I don’t know.”
The schism and challenge
These contradictory views reflect an old but enduring schism about voting technology in America. One side favors computerized tools like the Voatz app to create ballots, record votes and tabulate results. The other favors handmade ink marks on paper and distrusts any layer of technology that stands between those marks and the vote count. (Those favoring a mix of the best uses of paper and software tend to be distrusted by these factions.)
Seen loosely, this is a clash between proven 20th and emerging 21st century technologies — and innovation’s role at the heart of voting. Hovering above this landscape is a more nuanced question applicable to all voting systems. Does it have an observable evidence trail legitimizing the results? In other words, can it show that voting has neither been disrupted nor corrupted?
These questions are not easily answered. That is because voting systems rely on a mix of paper records and digital processing — sometimes seen and other times not visible. Many voters don’t realize that people almost never count hand-marked paper ballots — computers do. For efficiency, speed and, many contend, greater accuracy, optical scanners are used. Such scanners utilize image-based software. Scanners create and analyze digital images of each ballot and their votes. That data is fed into the process’s tabulation stage.
Today’s highest-profile controversies in voting technology concern new systems that replace hand-marked paper with a computer-generated record. The manufactured ballot is controversially called a paper-based system by vendors, because it is printed for voters to check before they finish. It is unclear how many voters actually do that. The deepest divide is the ballot itself. Should it be hand-marked paper or a digital equivalent?
Seen against this backdrop, Voatz’s smartphone mobile voting app is the most radical new voting system in America. Its features are a microcosm of the most contentious elements in today’s systems — including what many jurisdictions are acquiring before 2020 (digitized ballot-marking devices), and what Democrats may use in 2020 presidential caucus states for voters who are not physically present (a telephone-keyed system in Iowa, for example, and possibly another online system in Nevada).
West Virginia was first to pilot Voatz’s app for overseas voters. But Denver was first to open up the blockchain piece to quasi-public review — the city’s audit demo. The other part of Voatz’s app, using a smartphone’s camera and its biometric sensors to authenticate voters, ensuring they are a real person (and not an avatar or fake computerized persona), was not open to review.
That absence of wider scrutiny has angered internet voting opponents from computer science circles. Several gave Branscomb a recently written paper with 75-plus technical, operational and data privacy questions for Voatz, which he dutifully distributed at the blockchain audit in Denver. These critics want Voatz to give its software code to hackers to attack, which has led to suspending online systems. Switzerland is the latest example.
“This is a totally closed and close-mouthed system and company. And it’s just another internet voting system, however they wish to dress it up with a blockchain,” said David Jefferson, a cybersecurity expert, board member of Verified Voting, an anti-electronic voting advocacy group, and co-author of that paper, speaking of Voatz and Denver’s pilot before the demo.
“They’re using terms that the security community means in a very specific way, and they’re faking it,” he said, referring to assertions that Voatz could verify ballots as they transited from smartphones to government election offices. “Their auditability is not end to end, or rather, it is — if you get to pick the ends, you can always achieve end-to-end auditability.”
The bottom line from opponents like Jefferson comes down to a few key thresholds — questions that apply to any computerized voting system.
Can what a voter sees on a computer screen be trusted? Can an electronic representation, or a printout of their ballot and its choices, be trusted? Can threats lurk below what is seen, submerged in a sea of computer code, which can bypass what voters and officials see, but nonetheless corrupt what the tabulation stage presents as the unofficial results? (Results become official weeks later after a so-called canvas period and occasional recounts.)
What matters most
Online voting opponents and proponents offer starkly different answers and narratives. Critics say it is possible, though not always provable, that any software, and thus election results, can be corrupted. They contend that Voatz must show that their software and system have not been breached.
“All of the security vulnerabilities of an online voting system affect ballots before they even get to the blockchain, while they are in the device that is creating them, or while they are in transit, or they affect authentication and authorization,” said Jefferson. “It’s evidence that matters, evidence without holes. I’ve got to repeat myself — evidence without holes.”
“This is really black box observation,” said Duncan Buell, a University of South Carolina computer science and engineering professor and co-author of the paper with 75-plus questions for Voatz. “We are seeing some things that allegedly got put in, and we are seeing some things that are being taken out. But a lot of the negative opinion coming from people like me and David Jefferson is because Voatz is not really telling anybody what they are doing. They’re burying all this in software that they’re not letting anyone look at.”
But Voatz’ Senior Vice President Larry Moore rejected these assertions, starting with the assumption that something could be invisibly lurking in its software that could present vote summaries and matching ballots to voters and to officials, on one hand, while secretly altering results on the other.
“Hold on,” said Moore, a broad-shouldered longtime technology executive who is patient but bullish, standing on the demo’s sidelines. Before joining Voatz this winter, he was the founder and CEO of Clear Ballot, the nation’s most precise election audit system, which analyzes digital images of every ballot to account for every vote cast — or find ambiguous marks to review.
Moore talks like an engineer, meaning he methodically works through the steps in a process and the decision points, which he did to respond to the accusations by Jefferson, Buell and their allies.
“A guy gets an email and it has what the system believes he has voted,” Moore continued. “He can dispute that. First of all, before he even casts it, he can look at the receipt as it is on the screen. I would agree that is insufficient. But if he’s able to print out an email and say that’s who he intends to vote for, and then set that aside, and then several days later look at a bulletin board that has the same votes and the same 44-character anonymous ID, and then see that it is being cast by the primary voting system, tell me how this thread gets cut? Forget, for a second, what lies in between. Just say, I’ve got something over here. Something shows up over there, and it’s identical.”
This reporter recounted what cybersecurity critics were contending: that something could burrow into subterranean elements of Voatz’s software and present one set of votes on a voter’s screen but another in the tabulation.
“Let’s just call that magic,” Moore dryly replied. “Given the existence of magic, I suppose that might be true. But in the real world, tell me how that actually could happen? Where I see something over here and something over there, 10,000 miles away, shows up with the same ID that I’ve got, and the jurisdiction has that in their possession, and it matches.”
This reporter countered that critics say that it is up to Voatz to prove that their software code has not been corrupted.
“No. No. No. You cannot prove a negative,” he replied. “We can prove a positive — that it did happen.” (The ballot, votes and data lined up.)
Bucaro had a similar reply when presented with the same line of criticism.
“What part of this audit process are we missing?” she asked. “What are we not testing — because we are testing the point from the phone to the blockchain, and [from] the blockchain to the ballot, and [from] the ballot to the tabulation system. If we don’t detect anything amiss at any of these points or entry or exit, what more do we need to do?”
Bucaro also dismissed the theoretical hacking scenario as unfairly vague, if not conspiratorial.
“Until we know what further questions to ask, we will continue to ask what questions we know,” she said.
What’s under the hood?
Where is one left amid such irreconcilable views? One can still look at what is, and pointedly, is not, presented by any voting system and vendor, starting with the evidence trail tracing voter intent and ending with counting votes. One can also look at who is promoting new technology and their motives, including who is and is not participating in its development and testing. Nuances and revelations will surface and allow for new judgments.
The sideline talk following the Denver demo included some of the most revealing details yet about what Voatz was doing and where smartphone voting could be headed, why Voatz has not fully responded to critics who want them to open up their software so hackers can attack it, and the wider cybersecurity debate surrounding the country’s voting systems.
For example, when presented with a new twist on the contention that Voatz could not know if its app software code had been attacked, because, as one recently retired longtime voting official said before the demo, the computer security forensic science did not exist to trace that threat, Voatz CEO Nimit Sawhney said that assertion simply wasn’t true.
“Forensics to detect if any machine has been hacked into do exist,” he said. “You can speak to people at NSA [the National Security Agency], DHS [the Department of Homeland Security], GCQ in England, national investigative agencies around the world. They do exist… The academics that helped to build that science do know about it, but willfully say wrong things [about smartphone voting] because they are ideologically opposed.”
Such intractable opposition is why Voatz won’t open its entire system to independent review, said Nix, president of Tusk Philanthropies, which has underwritten some of the groundwork and studies surrounding Voatz’s pilots (including Denver’s demo audit). Tusk’s mission is also fighting hunger.
“I talked to David [Jefferson] for an hour,” Nix said, “and at the end of it, I said, ‘if Nimit participated in DefCon [a hackers’ convention known for breaking into voting systems], and no one could break in, would you be satisfied? Would you be okay then? And he said no… I think what’s helpful is to hear from people who are skeptical but open-minded. But there has to be the open-minded piece.”
Skeptical and curious questions were asked in Denver, however. Branscomb, talking to Sawhney and Nix, asked why use a blockchain to transmit data.
“Those people who are claiming there’s no role for it are missing the point completely,” Sawhney, Voatz’s CEO, replied. “It’s to secure the aggregate vote, and to make sure data remains tamper-free from the time it is cast to the time that it is actually tabulated and canvassed and audited.”
Branscomb said he saw how blockchains were “basically [addressing ballot] chain of custody, but you also need the chain of custody at the beginning.”
He was referring to the stage of Voatz’s app that wasn’t shown at the demo, the smartphone user authentication. These steps involve the phone’s camera and app analyzing if government-issued IDs are real and then taking a video from which a moving image matches the ID’s headshot. Sawhney replied that the app “couldn’t create a voter of our own. The jurisdiction has to do it.”
The conversation then went to the voter-verified receipt, which Sawhney said every overseas voter in West Virginia’s pilot had checked. Branscomb asked how the contents of emailed receipts weren’t traceable to individual voters — to preserve ballot secrecy.
“That’s a good question,” Sawhney replied, first noting that the emails were encrypted as they were sent between voters and officials. But the key was Voatz had no control over the email relay between the sender and recipient, he said. “So this is how. Get two parties with no visibility to each other’s systems to legally confirm that they will never have access to that email. Plus infrastructure controls. So that solved the problem for now.”
Many states, including Colorado, have overseas voters surrender their right to secret ballots. But the issue is complex as Voatz looks beyond overseas voters, as its system must authenticate voters, tie them to their devices so nobody votes more than once, but then submit a ballot that cannot later be traced back to them — so it is a secret ballot.
“Now, whether this [current protocol] will work for millions of people voting, that remains to be seen,” Sawhney said. “It will work for a smaller group, OUCAVA [the federal law for overseas voters], and maybe for the disability community. But if millions of people vote, we will have to modify the email protocol.” He cited European methods where “nobody can read the contents of that email, even if they are relaying the email. So there are solutions there. They will increase the cost.”
Branscomb returned to the issue of personal information tracked by the app. (Critics like Jefferson raise the same question about Voatz subcontractors.) Sawhney replied that Voatz deleted what they used in 24 hours. From there the discussion took what might have been its most intriguing turn. Sawhney noted that smartphones had standard features that their app did not use, but could also help in audits, including, he said, revealing “if somebody would willfully say something to disrupt an election.”
“It’s not PII,” Sawhney told Branscomb, using shorthand for personally identifying information. “It’s anonymous sensor data. It’s not PII.”
Sawhney explained that smartphones have two-dozen sensors that track, among other things, where a user touches the screen and how hard that touch is. When that physical interaction is overlaid with a digital document, such as a ballot, there’s a record that usually can be retrieved.
“It’s digitally signed,” he said. “If you sign a different version, the system will detect it. Now let’s say you say, ‘The software did something wrong. I picked A and it chose B.’ I say, ‘Prove it.’ You come to the forensic team. Do the cure process. As long as you haven’t re-installed the OS [operating system], it’s conclusive. A forensic examiner can conclusively prove what you were saying is true or false.”
“You’re saying the app saves the forensic data?” Branscomb replied.
“Yeah, yeah,” he said. “The phone has 22-plus sensors which are recording this anonymous data, and touch pressures are very strong biometrics.”
The latest smartphones also allow users to make videos of how they are being used, which could include voting with an app. Details like these are intriguing because they suggest that the ongoing evolution of smartphones might offer more election auditing possibilities—or, conversely, pose new challenges for preserving secret ballots. But back in the circles where many officials live, there is a competing priority: a desire to deploy the simplest systems, as elections can be marred by human error and technical snafus.
Ion Sancho, who recently retired as supervisor of elections in Florida’s Leon County, and worked with Moore for years to develop Clear Ballot, said that Denver’s smartphone and blockchain audit sounded very complex — maybe too complex for the average election administrator.
“Do you have to live on that part of the digital planet? Could you live on another part of the digital planet where you have fewer requirements of technical knowledge to be able to audit the system?” he said. “If there’s a problem, it seems very difficult for a local election official to fix that problem.”
Where is this headed?
The Voatz app is not poised to storm America. It is not federally certified and may never be. It hasn’t been certified by the state of Colorado, either, but Denver was allowed to use it for its pilot because its May 7 elections were local and not for state and federal offices. Denver and West Virginia will keep using it, and Voatz may come next to South Carolina and Utah.
The segment of the electorate first targeted by Voatz is overseas civilians and members of the military. Susan Dzieduszycka-Suinat, who created the U.S. Vote Foundation 14 years ago to serve overseas voters, has been critical of Voatz and its allies for the same reasons cited by Jefferson, but also because “it gets really old being a guinea pig” for vendors who want to try out their ideas — but don’t ask what these voters may need — and seeing public officials respond too eagerly to private firms.
“This whole overreliance on vendors comes from the fact that LEOs [local election officials] have very little resources, and maybe no guidance,” she said. “Then a vendor comes in and says, ‘I have an answer, let me show it to you.’ They don’t have the ability to evaluate it, really.”
Domestically, Voatz’s next market appears to be voters with disabilities. Every polling place must have a voting station that accommodates people with such handicaps. Denver wanted to pilot that use in its May elections, Bucaro said, but modifications to the app were not ready.
“That’s something they’re working on,” she said, speaking of a nationwide population estimated at 35 million voting-age Americans. “But the next goal is to create a digital bulletin board where the voter can enter their own hash [encrypted ID] and see their own ballot, both as the data stored in the blockchain and as we tabulated it. That’s something voters are not able to do right now.”
Denver’s demo previewed that capacity, but it was not a simple interface. Stepping back, the pilot is trying to create new facts and evidence about smartphone voting that will be taken to other states. A recent San Diego Union-Tribunereportsaid Voatz and its allies envision pilots in 25 states in coming years.
Whether or not that goal is realistic is an open question. Regardless, Denver’s pilot showed a technology and its supporters taking steps toward gaining a wider acceptance. The pilot offered some new details and data, and sought to offer assurances about smartphone voting’s accuracy, but it did so in controlled settings. The city’s team invited a handful of outsiders to review its ballot image and blockchain records, but didn’t put that invitation on its official website. On the other hand, strident critics were told about the open audit, and most chose not to participate.
Meanwhile, Voatz and its allies are pressing ahead. A day after the demo, Bucaro said the city did its own audit of the smartphone ballots — comparing the starting line and finish line records, and decrypting the blockchain in between. “Everything matched,” she said, adding that twice the number of overseas residents voted in May compared to Denver’s last local election, with half using the Voatz app. “Not only that, we collected survey results from voters who used the app. And 100 percent of them said this is how they’d prefer to vote in the future,” she said.
Comments like these are a precursor to declaring the pilot a success. But when asked if she struggled with the blockchain audit, Bucaro said, “Oh yeah. Blockchain is incredibly hard to understand if you are not a computer scientist. I had to educate myself. It is difficult to explain to the public. I think the key is—it is redundant. It’s auditable. It’s more transparent. And the added layers of redundancy and encryption make it more secure, from our perspective. So as soon as I was able to understand all that, plus the fact that that data can’t be altered once it’s been written on the blockchain, and stored in the blockchain, without detection, that was all important.”
An older generation of election officials, such as Florida’s Sancho, said such complexity “works against wider distribution” of new voting systems. That seasoned perspective suggests that Voatz has a way to go before thousands of voters, let alone millions, use it. Denver’s May pilot had 119 voters. Last November’s West Virginia pilot had 144 voters. These are small-scale test runs in contests and not high-stakes elections. But that may soon change.
In 2020, its most high-profile use may not be with overseas voters or voters with disabilities, but with state Democratic Parties in a few states conducting presidential nominating caucuses. The national party is requiring its caucus states to offer a remote participation option. Iowa, the opening caucus, will use a telephone-key based system akin to how one pays bills over the phone. But other caucus states are studying options, and some have been in contact with Voatz. Whether local broadband is reliable may be a limiting factor.
Denver’s pilot showed smartphone voting as a work in progress. It is not as perfected as boosters claim, not as fatally flawed as critics contend, and still awaiting independent testing. The city’s demo was a looking glass, a look at what may be the evolving future of voting in America. No one can say what parts of Voatz’s system or smartphones as a voting platform will endure. But Denver’s pilot epitomizes the ongoing clash between 20th and 21st century voting systems, and whether smartphones’ revolutionary technology may soon include ballots.