The Washington PostDemocracy Dies in Darkness

USPS built and secretly tested a mobile voting system before 2020

Such systems are widely considered insecure against hacking

Boxes of absentee ballots are prepared for mailing in Davenport, Iowa, in October 2020. (Daniel Acker for The Washington Post)

The U.S. Postal Service pursued a project to build and secretly test a blockchain-based mobile phone voting system before the 2020 election, experimenting with a technology that the government’s own cybersecurity agency says can’t be trusted to securely handle ballots.

The system was never deployed in a live election and was abandoned in 2019, Postal Service spokesman David Partenheimer said. That was after cybersecurity researchers at the University of Colorado at Colorado Springs conducted a test of the system during a mock election and found numerous ways that it was vulnerable to hacking.

The project appears to have been conducted without the involvement of federal agencies more closely focused on elections, which were then scrambling to make voting more secure in the wake of Russian interference in the 2016 contest. Those efforts focused primarily on using paper ballot so the voter could verify their vote was recorded accurately and there would be a paper trail for auditors — something missing from any mobile phone or Internet-based system.

The secrecy of the Postal Service’s mobile voting project alarmed election security officials and advocates who fear it could spark conspiracy theories and degrade public faith in the democratic process. Those concerns have grown immensely since the 2020 election, bolstered by baseless claims of election fraud by former president Donald Trump and his supporters.

Matt Masterson, who was then a senior adviser to the Cybersecurity and Infrastructure Security Agency and the federal government’s chief liaison to state and local election officials, said he was never aware of the Postal Service program while in office.

“If you’re doing anything in the election space, transparency should be priority number one. There should be no guessing game around this,” Masterson said.

“It’s scandalous for a government entity to conduct research into the security of blockchain online voting, which shows how insecure it is, but then hide the results and deprive the public and officials of these findings for over two years,” said Susan Greenhalgh, senior adviser on election security for Free Speech for People, which advocates for election security and opposes mobile voting.

CISA declined to comment for this story.

A May 2020 assessment from federal agencies, including the FBI and CISA, found that mobile voting systems carried high risks to the “confidentiality, integrity, and availability of voted ballots.”

The Postal Service plays no role in administering elections, but is responsible for managing ballots sent by mail, a category that has grown substantially during the past decade. The agency declined to share any long-range plans for the blockchain-based voting system. Such a system might reduce the burden of mail balloting, especially for military voters overseas. But it would also reduce a revenue boost the agency typically gets for election season mail.

The Postal Service was awarded a public patent for the concept in August 2020, but had not previously revealed that it built a prototype system or tested it. The patent application predated the administration of Postmaster General Louis DeJoy, who came under fire from congressional Democrats and election administration experts over mail-slowing procedures implemented in the run-up to the November 2020 vote.

Former postmaster general Megan Brennan, who was in office when the mail agency began developing the mobile voting system, did not respond to a request for comment.

The Postal Service had discussed for years developing an electronic voting system with state and local voting officials, said Tammy Patrick, a senior adviser at the government watchdog group Democracy Fund and the former federal compliance officer at the Maricopa County, Ariz., elections department. Such a system might have lightened the burden for some military and overseas voters who cast ballots by mail in a system that’s notoriously slow.

But those discussions were theoretical, Patrick said, to help facilitate voting access for military and overseas voters, or for disabled individuals. Some states already allow some forms of electronic voting for such voters, though vanishingly few people are eligible to use them.

USPS spokesman Partenheimer said in an emailed statement that the agency’s patent for the program was “exploratory in nature and did not proceed to a production model.”

“Blockchain technology’s potential to strengthen digital transaction security is a concept we have explored on our journey to better meet our customers’ current and future needs, and to bridge the gap between the physical and digital worlds,” Partenheimer said. “But we don’t have plans to advance this system.”

The Postal Service system allowed people to cast votes on an Internet-connected mobile app similar to how they might add items to an online shopping cart or fill out an online survey. The votes were designed to be anonymous and to be recorded in multiple digital locations simultaneously. The idea is that each of those digital records would act as a check to verify the accuracy of the other records. This is essentially the same method that cryptocurrencies such as bitcoin use to ensure transactions are accurately recorded.

But the system didn’t protect against the numerous ways hackers might fake or corrupt votes, the University of Colorado researchers said. Those include impersonating voters, attacking the blockchain system itself so votes can’t be trusted, flooding the system with information so it becomes too overwhelmed to function, and using techniques that undermine voters’ privacy and the secrecy of the ballot. The researchers were able to successfully perform all those hacks during a mock election held on campus.

“Based on our research, this actually causes more problems than it solves,” Shawn M. Emery, one of the researchers and a PhD candidate in cybersecurity, said. “If three researchers can do this much damage, I can’t imagine what a nation-state actor with millions of dollars in its budget could do in order to break this election system in multiple ways.”

The Colorado researchers were made to sign a nondisclosure agreement that prevented them from identifying the organization that built the prototype voting system, they said. In a paper describing the testing and presented at an academic conference, they said it was built by “a U.S. government organization, that has requested to remain unnamed [and] plays an important role in national elections.”

Cybersecurity advocates and election officials have long warned that mobile or online voting is the least secure method of casting ballots because there’s no physical record of the vote and no way for voters to verify their ballots were recorded accurately or for auditors to double-check them after the fact.

It would also be far easier for hackers to infect voters’ phones or laptops with malicious software that alters such votes rather than to compromise election machines, which are supposed to be completely segregated from the public Internet.

Sen. Ron Wyden (D-Ore.) described mobile voting as “about the worst thing you can do in terms of election security in America, short of putting American ballot boxes on a Moscow street,” during a Senate floor speech last year.

There has nevertheless been a concerted push to expand mobile voting in recent years, spurred by the hope of making voting more convenient and accessible, especially for people who rarely exercise their franchise or have disabilities that make voting difficult.

West Virginia allowed mobile app-based voting by some voters in 2018. There were similar programs in West Virginia, Delaware and New Jersey in 2020. In all cases, mobile voting was limited to voters with disabilities that made in-person or mail voting difficult and, in some cases, to overseas voters.

Reviews of the apps used in those states conducted by the Massachusetts Institute of Technology turned up numerous cybersecurity problems.

Election officials in some states have also allowed military voters overseas to cast ballots using secure fax systems or PDF attachments to emails.