Two days after May’s City Elections, Denver’s Elections Division held a Low-profile Audit of Key parts of America’s most Radical New Voting system.
Over several weeks, 119 Residents who were Overseas had been using their Smartphones to identify themselves and Mark and Submit their Ballots Online via Blockchains, an Encryption and Storage Method. The Voters would get an Emailed Receipt Listing their Ballot Choices, and later a Survey asking what they thought about Smartphone Voting.
Denver and its Technology and Philanthropic Partners were not just showing how they served Overseas Voters. They were presenting a Digital Evidence Trail, as there had never been a similar Open Audit of Ballot Receipts, Ballot Images, and Voting Data kept on Blockchains. The City was showing how far Smartphone Voting had come, an Internet system whose Proponents envision Millions of Americans eventually using, but one that Critics maintain is inherently Untrustworthy.
The Demo did Not resolve that Divide, a Debate where Opponents talk past each other, Level Charges, and present Irreconcilable Views. But Denver’s Smartphone Voting Pilot offered a glimpse into where Progress is and isn’t happening, what Criticisms are more and less Legitimate, and where Smartphones may or may not fit into America’s Voting repertoire.
The Demo took part in an open-air Atrium of a Government building near the State Capitol and was Broadcast Live on Facebook. Attending were: City Officials, the Mobile Voting App Developer Voatz, Supporters from a Foundation and nearby Think Tank Sponsoring aspects of the Pilot, and a few Critics, sat in rows facing a large Monitor Screen. In addition to those present, a few Outsiders were given Access to the same Records, Decrypting Tools, and Servers to Assess the Internet system’s Ballot-Handling and Accuracy.
“We will be live auditing the ballots cast through the blockchain against voter-verified digital receipts in today’s audit,” Denver Elections Deputy Director Jocelyn Bucaro said, before introducing Forrest Senti, Director of Business and Government Initiatives at the National Cybersecurity Center (NCC), a new Think Tank, to Lead the Demo. She welcomed Voatz’s team, Officials from Tusk Philanthropies including its President Sheila Nix, who had been Jill Biden’s White House Chief of Staff, Local and State Election Officials, and scores watching Online. NCC and Tusk, whose Founder is Bradley Tusk who served as Campaign Manager for Mike Bloomberg Campaign for Mayor of New York City, as Deputy Governor of Illinois, and Communications Director for New York Senator and Minority Leader Charles Schumer, helped Plan and Fund aspects of the Pilot and Blockchain Audit.
“We conducted this pilot for two main reasons. One, we wanted to provide a more convenient method for our military and overseas citizen voters to cast a ballot in the election. And second, we wanted to enhance a secure return method for those voters voting from overseas. So this audit today is key to that security feature, offered through the blockchain. We’re very excited about both the transparency and auditability that a blockchain-based voting method provides.” Bucaro said.
Senti explained that the Audit had Two parts. Online Slides and Video also laid out the Process. In short, Observers would see Selected Cutting-Edge Elements of the latest Smartphone Voting Technology.
The Monitor had Three columns with different Ballot Records from the same Voter, Senti said. The Left Panel was a blur lines of 44-character Code, with each Line referring to a Voter but Masking their Identity. In the Center was an Image of the Receipt that had been Emailed to the Voter after they used the Voatz App to Mark their Ballot. The Receipt looked like a Regular Ballot with Candidates and Ovals, but it only showed their Votes and Coded Identifier. To the Right was an Image of their entire Ballot with the Encoded ID on Top, and filled-in and empty Ovals below. That Image was what Officials had Received, Printed, Scanned, and Counted like the Rest of the City’s Ballots. These Records were from the Voting Process’s Starting and Finish Lines. They had to Match, and, as seen, did.
“The next part of this demo is the actual blockchain record,” said Senti, who brought up a New Window on the Right. It was the “blockchain viewer.” This was Software created by Voatz to Access Votes from a Single Ballot, which had been Encrypted and Stored Online in Separate Pieces and Places, the Blockchain. The Viewer showed more Lines of scrambled Letters and Numbers. One Paragraph had to be Copied, Decoded by other Software in another Window, and Copied into yet another Window, a Table, where after more Decoding, the Name of Chosen Candidates or Ballot Questions stances would appear, such as decriminalizing psilocybin mushrooms. After these Complex Steps, the Decoded Votes lined up, Matching the Ballots.
The Demo took 22 minutes. Only a Few of the 119 Overseas Ballots were Audited. It Ended with Bucaro and Senti reminding those present that they could Independently take these same steps with All of the Ballots if they Signed Up, including Agreeing not trying to Sabotage Voatz. No one in the Audience asked Questions, but those present lingered to talk about it.
Though everyone was polite, differing Perspectives emerged.
Bucaro was asked how this Process provided Assurance. In Elections, there is the notion that All Forms of Voting have some level of Risk. Why was this good enough? “We’re verifying several things here,” she said. “We’re verifying that from the voter’s device, to the chain, there was no malfeasance—there was no interruption of, or disruption to, the data. We’re ensuring that the data extracted from the blockchain is accurate. And we’re ensuring that the data was tabulated correctly in our tabulation system. We’re verifying every point of entry and every potential risk area that we have the ability to do, which is certainly more than through other traditional [audit] methods.”
That last Comment was Intriguing. Colorado was a National Pioneer in Voting by Mail. When asked if the App and Blockchain method was more Traceable than the Vote-by-Mail system, where Officials Lose track of a Voter’s Ballot once it is Removed from an Envelope after a Signature on the Outside has been Vetted, or its Practice of Sending and Receiving Ballots by Email to the Overseas Voters, Bucaro did not hesitate. “Yes,” she quickly replied. “It gives us more data points where we can test and ensure that things happened correctly.”
But Not everybody present saw the Demo so Enthusiastically. “It utterly failed to produce any confidence in the accuracy or relevance even of the data we were being shown—clearly all images,” said Harvie Branscomb, a Longtime Colorado Election Integrity Activist who, like many Opponents of Electronic Voting, believes that there is No Substitute for Hand-marked Paper Ballots as the Basis for Verifiable Election Results. “There was hardly any reference to how you would use that data to find a piece of paper that was supposedly behind it,” he said. “In the case of the presumably voter-verified data, that stuff was probably never on paper.”
Branscomb, a Semi-Retired Computer-Marketing Consultant has spent years on Improving Audits and is highly regarded in Activist Circles, was as Articulate and Adamant as Bucaro. “We are not going to call this an audit at all, because our understanding of an audit is that you look at the paper that was voter-verified, and that doesn’t exist in this particular model,” he said. “The process that they proposed for doing what I’d call the review was preposterously complex… if someone on the inside actually wanted to make changes, obviously they’d have plenty of ways to interfere where I would be seeing false or twisted election data and not know it. Where is the auditability in that? I don’t know.”
These Contradictory views reflect an old but enduring Schism about Voting Technology in America. One side Favors Computerized Tools like the Voatz App to Create Ballots, Record Votes, and Tabulate Results. The other Favors Handmade Ink Marks on Paper and Distrusts any Layer of Technology that stands between those Marks and the Vote Count. Those favoring a Mix of the Best uses of Paper and Software tend to be Distrusted by these Factions.
Seen loosely, this is a Clash between proven 20th and emerging 21st Century Technologies, and Innovation’s role at the heart of Voting. Hovering above this landscape is a more nuanced Question applicable to All Voting Systems. Does it have an Observable Evidence Trail Legitimizing the Results? In other words, can it show that Voting has neither been Disrupted nor Corrupted?
These Questions are not easily answered. That is because Voting systems rely on a mix of Paper Records and Digital Processing, sometimes seen and other times Not Visible. Many Voters don’t realize that People almost never Count Hand-Marked Paper Ballots, Computers do. For Efficiency, Speed, and Greater Accuracy, Optical Scanners are used. Such Scanners utilize Image-based Software. Scanners Create and Analyze Digital Images of each Ballot and their Votes. That Data is then fed into the Process’s Tabulation Stage.
Today’s Highest-Profile Controversies in Voting Technology concern New Systems that Replace Hand-Marked Paper with a Computer-Generated Record. The Manufactured Ballot is controversially called a Paper-Based system by Vendors, because it is Printed for Voters to Check before they Finish. The deepest Divide is the Ballot itself. Should it be Hand-Marked Paper or a Digital Equivalent? But the Hand-Marked Ballot can be Visually Reviewed in an Recount and Audit.
Seen against this backdrop, Voatz’s Smartphone Mobile Voting App is the most Radical New Voting system in America. Its features are a Microcosm of the most contentious Elements in today’s Systems, including what many Jurisdictions are Acquiring before 2020, Digitized Ballot-Marking Devices, and what Democrats may use in 2020 Presidential Caucus States for Voters who are Not Physically Present, a Telephone-Keyed system in Iowa, for example, and possibly another Online system in Nevada.
West Virginia was First to Pilot Voatz’s App for Overseas Voters. But Denver was First to Open up the Blockchain piece to Quasi-Public Review, the City’s Audit Demo. The other part of Voatz’s App, using a Smartphone’s Camera and its Biometric Sensors to Authenticate Voters, ensuring they are a Real Person, and not an Avatar or Fake Computerized Persona, was Not Open to Review.
That Absence of Wider Scrutiny has angered Internet Voting Opponents from Computer Science Circles. Several gave Branscomb a recently Written Paper with 75-plus Technical, Operational and Data Privacy Questions for Voatz, which he dutifully Distributed at the Blockchain Audit in Denver. These Critics want Voatz to give its Software Code to Hackers to Attack, which has led to Suspending Online Systems. Switzerland is the latest Example.
“This is a totally closed and close-mouthed system and company. And it’s just another internet voting system, however they wish to dress it up with a blockchain,” said David Jefferson, a Cybersecurity Expert, Board Member of Verified Voting, an Anti-Electronic Voting Advocacy group, and Co-Author of that Paper, speaking of Voatz and Denver’s Pilot before the Demo. “They’re using terms that the security community means in a very specific way, and they’re faking it,” he said, referring to Assertions that Voatz could Verify Ballots as they Transited from Smartphones to Government Election Offices. “Their auditability is not end to end, or rather, it is—if you get to pick the ends, you can always achieve end-to-end auditability.”
The bottom line from Opponents like Jefferson comes down to a few Key Thresholds Questions that apply to any Computerized voting System. Can what a Voter sees on a Computer Screen be trusted? Can an Electronic Representation, or a Printout of their Ballot and its Choices, be Trusted to be Counted Correctly? Can Threats lurk below what is seen, submerged in a sea of Computer Code, which can Bypass what Voters and Officials see, but nonetheless Corrupt what the Tabulation stage presents as the Unofficial Results? Results become Official weeks later after a so-called Canvas Period and Occasional Recounts.
Online Voting Opponents and Proponents offer starkly different Answers and Narratives. Critics say it is possible, though not always provable, that any Software, and thus Election Results, can be Corrupted. They contend that Voatz must show that their Software and System have not been Breached. “All of the security vulnerabilities of an online voting system affect ballots before they even get to the blockchain, while they are in the device that is creating them, or while they are in transit, or they affect authentication and authorization,” said Jefferson. “It’s evidence that matters, evidence without holes. I’ve got to repeat myself—evidence without holes.”
“This is really black box observation,” said Duncan Buell, a University of South Carolina Computer Science and Engineering Professor and Co-Author of the Paper with 75-plus Questions for Voatz. “We are seeing some things that allegedly got put in, and we are seeing some things that are being taken out. But a lot of the negative opinion coming from people like me and David Jefferson is because Voatz is not really telling anybody what they are doing. They’re burying all this in software that they’re not letting anyone look at.”
But Voatz’ Senior Vice President Larry Moore Rejected these Assertions, starting with the Assumption that something could be Invisibly lurking in its Software that could present Vote Summaries and Matching Ballots to Voters and to Officials, on one hand, while Secretly Altering Results on the other. “Hold on,” said Moore, a longtime Technology Executive who is patient but bullish, standing on the Demo’s Sidelines. Before joining Voatz this winter, he was the Founder and CEO of Clear Ballot, the Nation’s most Precise Election Audit System, which Analyzes Digital Images of every Ballot to Account for every Vote Cast, or find ambiguous Marks to Review.
The sideline talk following the Denver Demo included some of the most revealing Details yet about what Voatz was doing and where Smartphone Voting could be headed, why Voatz has Not fully responded to Critics who want them to Open up their Software so Hackers can Attack it, and the wider Cybersecurity Debate surrounding the Country’s Voting Systems.
For example, when presented with a New twist on the contention that Voatz could Not know if its App Software Code had been Attacked, because, as one recently Retired longtime Voting Official said before the Demo, the Computer Security Forensic Science did Not Exist to Trace that Threat, Voatz CEO Nimit Sawhney said that assertion simply wasn’t true. “Forensics to detect if any machine has been hacked into do exist,” he said. “You can speak to people at NSA [the National Security Agency], DHS [the Department of Homeland Security], GCQ in England, national investigative agencies around the world. They do exist… The academics that helped to build that science do know about it, but willfully say wrong things [about smartphone voting] because they are ideologically opposed.”
Branscomb, talking to Sawhney and Nix, asked Why use a Blockchain to Transmit Data. “Those people who are claiming there’s no role for it are missing the point completely,” Sawhney, Voatz’s CEO, replied. “It’s to secure the aggregate vote, and to make sure data remains tamper-free from the time it is cast to the time that it is actually tabulated and canvassed and audited.” Branscomb said he saw how Blockchains were “basically [addressing ballot] chain of custody, but you also need the chain of custody at the beginning.”
He was referring to the Stage of Voatz’s App that wasn’t shown at the Demo, the Smartphone User Authentication. These steps involve the Phone’s Camera and App analyzing if Government-issued IDs are Real and then taking a Video from which a moving Image matches the ID’s Headshot. Sawhney replied that the App “couldn’t create a voter of our own. The jurisdiction has to do it.”
The Conversation then went to the Voter-Verified Receipt, which Sawhney said every Overseas Voter in West Virginia’s Pilot had Checked. Branscomb asked how the Contents of Emailed Receipts weren’t Traceable to Individual Voters, to Preserve Ballot Secrecy. “That’s a good question,” Sawhney replied, first noting that the Emails were Encrypted as they were sent between Voters and Officials. But the key was Voatz had No Control over the Email Relay between the Sender and Recipient, he said. “So this is how. Get two parties with no visibility to each other’s systems to legally confirm that they will never have access to that email. Plus infrastructure controls. So that solved the problem for now.”
Many States, including Colorado, have Overseas Voters surrender their Right to Secret Ballots. But the Issue is complex as Voatz looks beyond Overseas Voters, as its system must Authenticate Voters, tie them to their Devices so nobody Votes more than Once, but then Submit a Ballot that Cannot later be Traced back to them, so it is a Secret Ballot.
“Now, whether this [current protocol] will work for millions of people voting, that remains to be seen,” Sawhney said. “It will work for a smaller group, OUCAVA [the federal law for overseas voters], and maybe for the disability community. But if millions of people vote, we will have to modify the email protocol.” He cited European Methods where “nobody can read the contents of that email, even if they are relaying the email. So there are solutions there. They will increase the cost.”
Branscomb returned to the Issue of Personal Information tracked by the App. Critics like Jefferson raise the same question about Voatz Subcontractors. Sawhney replied that Voatz Deleted what they used in 24 hours. From there the Discussion took what might have been its most Intriguing turn. Sawhney noted that Smartphones had Standard Features that their App did not use, but could also help in Audits, including, he said, revealing “if somebody would willfully say something to disrupt an election.”
“It’s not PII,” Sawhney told Branscomb, using shorthand for Personally Identifying Information. “It’s anonymous sensor data. It’s not PII.” Sawhney explained that Smartphones have Two-Dozen Sensors that Track, among other things, where a User Touches the Screen and how hard that touch is. When that Physical Interaction is Overlaid with a Digital Document, such as a Ballot, there’s a Record that usually can be Retrieved. “It’s digitally signed,” he said. “If you sign a different version, the system will detect it. Now let’s say you say, ‘The software did something wrong. I picked A and it chose B.’ I say, ‘Prove it.’ You come to the forensic team. Do the cure process. As long as you haven’t re-installed the OS [operating system], it’s conclusive. A forensic examiner can conclusively prove what you were saying is true or false.”
“You’re saying the app saves the forensic data?” Branscomb replied. “Yeah, yeah,” he said. “The phone has 22-plus sensors which are recording this anonymous data, and touch pressures are very strong biometrics.” The latest Smartphones also allow Users to make Videos of how they are being used, which could include Voting with an App. Details like these are intriguing because they suggest that the ongoing Evolution of Smartphones might offer more Election Auditing Possibilities or, conversely, pose New Challenges for Preserving Secret Ballots. But back in the circles where many Officials live, there is a competing Priority: a Desire to Deploy the Simplest systems, as Elections can be Marred by Human Error and Technical Snafus.
The Voatz App is not poised to storm America. It is Not Federally Certified and may never be. It hasn’t been Certified by the State of Colorado, either, but Denver was allowed to use it for its Pilot because its May 7th Elections were Local and Not for State and Federal Offices. Denver and West Virginia will keep using it, and Voatz may come Next to South Carolina and Utah.
The Segment of the Electorate First targeted by Voatz is Overseas Civilians and Members of the Military. Susan Dzieduszycka-Suinat, who Created the U.S. Vote Foundation 14 years ago to serve Overseas Voters, has been Critical of Voatz and its Allies for the same reasons cited by Jefferson, but also because “it gets really old being a guinea pig” for Vendors who want to try out their ideas, but don’t ask what these Voters may need, and seeing Public Officials respond too eagerly to Private Firms. “This whole overreliance on vendors comes from the fact that LEOs [local election officials] have very little resources, and maybe no guidance,” she said. “Then a vendor comes in and says, ‘I have an answer, let me show it to you.’ They don’t have the ability to evaluate it, really.”
Domestically, Voatz’s Next Market appears to be Voters with Disabilities. Every Polling Place must have a Voting Station that Accommodates People with such Handicaps. Denver wanted to Pilot that use in its May Elections, Bucaro said, but Modifications to the App were Not ready. “That’s something they’re working on,” she said, speaking of a Nationwide Population estimated at 35 Million Voting-Age Americans. “But the next goal is to create a digital bulletin board where the voter can enter their own hash [encrypted ID] and see their own ballot, both as the data stored in the blockchain and as we tabulated it. That’s something voters are not able to do right now.”
Denver’s Demo previewed that capacity, but it was not a Simple Interface. Stepping back, the Pilot is trying to Create New Facts and Evidence about Smartphone Voting that will be taken to other States. A recent San Diego Union-Tribune Report said Voatz and its Allies envision Pilots in 25 States in coming years.
Whether or Not that Goal is realistic is an Open question. Regardless, Denver’s Pilot showed a Technology and its Supporters taking steps toward gaining a Wider acceptance. The Pilot offered some New Details and Data, and sought to offer Assurances about Smartphone Voting’s Accuracy, but it did so in Controlled Settings. The City’s Team invited a Handful of Outsiders to Review its Ballot Image and Blockchain Records, but didn’t put that Invitation on its Official website. On the other hand, Strident Critics were told about the Open Audit, and most chose Not to Participate.
Meanwhile, Voatz and its Allies are pressing ahead. A day after the Demo, Bucaro said the City did its Own Audit of the Smartphone Ballots, comparing the Starting Line and Finish Line Records, and Decrypting the Blockchain in between. “Everything matched,” she said, adding that Twice the Number of Overseas Residents Voted in May compared to Denver’s Last Local Election, with Half using the Voatz App. “Not only that, we collected survey results from voters who used the app. And 100 percent of them said this is how they’d prefer to vote in the future,” she said.
Comments like these are a Precursor to Declaring the Pilot a Success. But when asked if she Struggled with the Blockchain Audit, Bucaro said, “Oh yeah. Blockchain is incredibly hard to understand if you are not a computer scientist. I had to educate myself. It is difficult to explain to the public. I think the key is—it is redundant. It’s auditable. It’s more transparent. And the added layers of redundancy and encryption make it more secure, from our perspective. So as soon as I was able to understand all that, plus the fact that that data can’t be altered once it’s been written on the blockchain, and stored in the blockchain, without detection, that was all important.”
An Older Generation of Election Officials, such as Florida’s Sancho, said such Complexity “works against wider distribution” of New Voting systems. That Seasoned Perspective suggests that Voatz has a way to go before Thousands of Voters, let alone Millions, use it. Denver’s May Pilot had 119 Voters. Last November’s West Virginia pilot had 144 Voters. These are small-scale Test runs in Contests and not High-Stakes Elections. But that may soon change.
In 2020, its most High-Profile use may Not be with Overseas Voters or Voters with Disabilities, but with State Democratic Parties in a few States conducting Presidential Nominating Caucuses. The National Party is Requiring its Caucus States to Offer a Remote Participation Option with Ranked-Choice Voting.
Iowa, the Opening Caucus, will use a Telephone-key Based System akin to how one Pays Bills over the Phone. But other Caucus States are studying Options, and some have been in contact with Voatz. Whether Local Broadband is Reliable may be a Limiting Factor.
Denver’s Pilot showed Smartphone Voting as a Work in Progress. It is Not as Perfected as Boosters Claim, Not as Fatally Flawed as Critics Contend, and still Awaiting Independent Testing. The City’s Demo was a looking glass, a look at what may be the evolving Future of Voting in America. No one can say what Parts of Voatz’s System or Smartphones as a Voting Platform will Endure. But Denver’s Pilot epitomizes the Ongoing Clash between 20th and 21st Century Voting Systems, and whether Smartphones’ Revolutionary Technology may soon include Ballots.
NYC Wins When Everyone Can Vote!
Michael H. Drucker