Google, Twitter, Facebook and the Sandhill Road VC's in Palo Alto are so extremist and so desperate to control the U.S. Treasury that they will stop at nothing to manipulate elections
Voatz, an online election app increasingly popular in the United States, is riddled with serious security vulnerabilities, according to a new study from researchers at MIT. They conclude that hackers who strike the Voatz app can potentially alter, stop, or expose individual votes.
The news comes just weeks after a hastily made app fell apart during the Democratic Party’s Iowa caucus, a high-profile failure that put a spotlight on how faulty technology can undermine democratic processes.
“We all have an interest in increasing access to the ballot, but in order to maintain trust in our elections system, we must assure that voting systems meet the high technical and operation security standards before they are put in the field,” said Daniel Weitzner, a principal research scientist at MIT’s Computer Science and Artificial Intelligence Lab, who guided the research. “We cannot experiment on our democracy.”
Get out the Voatz: Voatz has already been used as a pilot program in federal elections, most recently the 2018 midterm elections in West Virginia as well as previous ballots in Denver, Oregon, and Utah. Around 600 voters were involved, according to the company. Thousands more are set to use the app this year.
Sticks and stones: In response to the study, the company that produced Voatz accused the researchers of faulty analysis, “untested claims,” and “bad faith recommendations.”
In a lengthy statement, the company said the cybersecurity researchers were aiming primarily for media attention and claimed that they seek to “disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”
In fact, the researchers took their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency in January, which led DHS to hold private briefings for election officials using Voatz.
“We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” the company said in a statement. “Pilot programs like ours are invaluable.”
Expert view: “The consensus of security experts is that running a secure election over the internet is not possible today,” said James Koppel, one of the MIT researchers. “The reasoning is that weaknesses anywhere in a large chain can give an adversary undue influence over an election, and today’s software is shaky enough that the existence of unknown exploitable flaws is too great a risk to take.”
A landmark 2018 report from the National Academies of Sciences concluded that online voting systems should not be used until they can be verified as trusted and secure.
“The choice here is not about turnout,” the report said, “but about an adversary controlling the election result and a loss of voter privacy.”
WASHINGTON — While the Democratic National Committee over the past 10 days has tried to distance itself from the troubled app that threw the results of the Iowa caucuses into disarray, a copy of the contract and internal correspondence provided to Yahoo News demonstrates that national party officials had extensive oversight over the development of the technology.
The Democrats’ Iowa caucuses took place on Feb. 3, but the outcome is still in question following a series of issues related to the failure of an app that was supposed to be used to submit results. In the days since the debacle, DNC Chair Tom Perez has criticized the Iowa Democratic Party, which ran the caucuses, and the developer of the app, Shadow Inc.
An unaffiliated Democratic operative in Iowa provided Yahoo News with a copy of the contract between Shadow and the Iowa Democratic Party. The contract, which was signed on Oct. 14, 2019, and refers to Shadow as the “Consultant,” specified that the company had to work with the DNC and provide the national party with access to its software for testing.
“Consultant agrees to work with the DNC Services Corporation / Democratic National Committee (‘DNC’) on an on-going basis as Consultant develops the software,” the contract reads.
The contract also specifies that Shadow agrees to “provide DNC continual access to review the Consultant’s system configurations, security and system logs, system designs, data flow designs, security controls (preventative and detective), and operational plans for how the Consultant will use and run the Software for informational dissemination, pre-registration, tabulation, and reporting throughout the caucus process.”
An email provided to Yahoo News also appears to show that Seema Nanda, the CEO of the DNC, and Kat Atwater, the national party’s deputy chief technology officer, were involved in drafting the contract and requested the addition of the provision that gave them access to Shadow and the app. In the email, dated July 30, 2019, Atwater provided an IDP official with draft text for the provision detailing the DNC’s access to the app. Atwater, in the email, said the provision was specifically requested by Nanda.
“In discussing our placement in the process with Seema on Friday, she suggested that it would be helpful to include the following provision in the contracts with your vendors,” Atwater wrote to the IDP.
DNC communications director Xochitl Hinojosa responded to questions about the contract language and Atwater’s email by saying the party wanted access to the app only to address potential security concerns.
“We requested access to the tool solely for the purpose of doing security testing,” Hinojosa said.
Hinojosa disputed that the DNC was involved in the development of the app. “The DNC drafted broad language to make sure whatever vendor IDP ultimately hired was required to work with the DNC’s cyber-security consultant,” she said. “We did not build the application, nor did we provide ‘oversight’ of its development — that’s the vendor’s responsibility. We only provided security assistance.”
The copies of Atwater’s email and Shadow’s contract with the IDP obtained by Yahoo News contained some redactions. Sources familiar with the original documents confirmed the authenticity of the copies. Atwater’s email was redacted to omit the name of the IDP official she communicated with. The Shadow contract was redacted to omit signatures and details about how much the company was paid by the IDP.
A source who worked on the caucus said the payment information was redacted from the copy of the contract provided to Yahoo News because there are ongoing questions about how much the company will ultimately receive due to the issues with the app. The source said Shadow has charged the IDP at least $60,000 for its work so far. Shadow and the firm’s CEO, Gerard Niemira, did not respond to multiple requests for comment.
The Iowa Democratic Party was introduced to Shadow through the state party in Nevada, which also planned to use an app made by the company for its caucuses, according to the same source.
In the wake of the Iowa fiasco, the Nevada Democratic Party announced it would not use Shadow’s app for its caucuses, which are set for Feb. 22.
Fallout from the Iowa debacle continues. The Associated Press has declined to name a winner, even though the Iowa Democratic Party had said Pete Buttigieg edged out Bernie Sanders in delegates, while Sanders won the popular vote. The party’s state chairman, Troy Price, announced his resignation on Wednesday and many experts have suggested Iowa may lose its coveted status as the first state to vote in the next presidential election. Price did not immediately respond to requests for comment.
In the days since the caucuses, Perez, the DNC chair, has laid the blame for the app debacle on the Iowa Democratic Party and Shadow for the issues with the results. “What happened last night should never happen again,” Perez said in a statement on Feb. 4.
Yet the contract demonstrated that the DNC should have had the opportunity to foresee some of the problems. One provision in the contract says Shadow would provide “monthly written updates to the DNC regarding the Software status and timeline for implementation.” It also required Shadow to work with outside consultants and cybersecurity specialists, which the DNC could “choose in its sole discretion.”
According to the source who worked on the caucus, the DNC did have Shadow work with an outside cybersecurity firm. The source blamed the DNC and its security consultants for some of the issues that took place with reporting the results on caucus night.
“They had a lot of thoughts and feelings on how this app was supposed to function, and I think there was advice that was given that led to the difficulties you saw on caucus night with people being able to log in,” the caucus source said. “The security steps that were taken made it difficult for an even technologically apt person to log in.”
Hinojosa, the DNC communications director, said there were no issues with security features and the login. According to her, all of the problems stemmed from code in the software’s back end.
Perez, who was elected chair of the DNC in February 2017, has made security a top priority in the wake of the Russian hack that targeted the party’s leadership during the 2016 election.
“We have staff working around the clock to assist the Iowa Democratic Party to ensure that all votes are counted. It is clear that the app in question did not function adequately,” Perez said. “It will not be used in Nevada or anywhere else during the primary election process. The technology vendor must provide absolute transparent accounting of what went wrong.”
On Feb. 6, Perez tweeted a demand for the IDP to recalculate the caucus results due to the issues that took place on the night of the vote.
“Enough is enough. In light of the problems that have emerged in the implementation of the delegate selection plan and in order to assure public confidence in the results, I am calling on the Iowa Democratic Party to immediately begin a recanvass,” he wrote.
Price rejected Perez’s call for a recount but said the state party would conduct a recanvass if it was requested by any of the Democratic presidential campaigns. Both the Buttigieg and Sanders campaigns had released statements saying they believed they were victorious based on their own internal numbers, and each requested recanvasses of specific precincts where they think there were discrepancies.
In an interview with the New York Times on Feb. 9, Perez explicitly blamed the Iowa Democratic Party for the mess and noted the state organization had ultimate responsibility for administering the caucuses.
“Troy Price was doing his best, but it wasn’t enough,” Perez said.
The source who worked on the caucus said they found Perez’s comments “extremely frustrating” because he did not disclose the DNC’s extensive role in the app.
“They were intimately involved in this process,” the source said of the DNC, noting the committee’s deputy CTO, Atwater, was on multiple conference calls during the app’s development.
Hinojosa responded to that criticism by pointing to an appearance Perez made on MSNBC on Monday where host Chris Hayes asked “who was responsible” for the app’s failure “and what will be done to hold the people responsible to account.” Perez said responsibility was shared between the Iowa party and the DNC. He also said the DNC was “learning from our mistakes.”
“Let me be very clear, we all fell short. While the Iowa party administers the election, we provide help,” Perez said, adding, “We have a partnership with our state parties. We’re all in this together. We all succeed together and, when we fall, we fall together. ... We fell short and I’m here to say I apologize for that.”
Shadow was launched by Acronym, a nonprofit organization that was established in 2017. In the aftermath of the caucus crisis, Acronym has tried to distance itself from Shadow, particularly as questions have been raised about ties the organization has with top Democrats, including a senior strategist for Buttigieg’s campaign.
The contract Shadow signed with the Iowa Democratic Party specified that the firm would not take on any clients that would interfere or conflict with its work on the Iowa caucuses. A section identifying “current Shadow consulting clients” listed just one: the Nevada State Democratic Party.
The document also suggested Shadow staff who were “providing strategic input” to Democratic presidential campaigns participating in the caucuses would not work on the app. One Shadow staffer, Sarah Chabolla, was identified under this section. The contract did not specify which campaign Chabolla is working for, and she did not immediately respond to multiple requests for comment.