With Tonya Riley

THE KEY

Some states are planning to dramatically expand their use of mobile voting in response to the coronavirus pandemic – even as cybersecurity experts warn such systems are unproven and too vulnerable to hacking. 

Two states will soon announce that they’ll offer voters who have disabilities the option to cast ballots using mobile phones in upcoming primary elections so they don’t have to risk going into polling places, said Sheila Nix, president of Tusk Philanthropies, which is funding the efforts. The option will extend to voters in the military or state residents who are based overseas. 

“With coronavirus and the uncertainty about what the situation will be in November, a lot of states and jurisdictions are looking for a solution,” Nix told me, but declined to name the states or the mobile voting vendor they’ll be using, because memorandums of understanding aren’t complete yet. 

Those states will join West Virginia, which became the first to try statewide mobile voting for military and overseas voters in 2018 and has already announced it will expand to voters with disabilities during its upcoming primary June 9. Nix said she’s also talking with about half a dozen other states about potentially using mobile voting for some residents, which would be a significant expansion for a system that has otherwise been tried for just a handful of counties since 2018 and typically just for military and overseas voters. 

As states scramble to expand voting-by-mail and early-voting days so voters don’t have to risk their health by crowding into polling sites, mobile voting could be an additional solution. The states are offering mobile options to voters with disabilities partly because some conditions make it impossible for them to vote by mail without assistance, which would undermine the secrecy of their ballots. Voters who are blind or have advanced Parkinson’s disease, for example, would be unable to fill in the ovals on a voting form. 

But there have been dire warnings from cybersecurity experts that mobile voting lacks basic protections to ensure votes haven’t been manipulated by hackers. This trade-off for access to voting during a pandemic could undermine the sense of security around the 2020 contest that officials have worked for years to achieve following Russian interference efforts in 2016. 

The critics’ strongest objection is that, by definition, mobile voting doesn’t produce a paper record that is verified by the voter and that auditors can use to ensure votes were tallied correctly. That’s basically the same problem with the paperless voting machines that state and local election officials have been replacing across the nation since Russia’s 2016 election interference operation. 

There's also no way of ensuring a mobile vote was cast by the person that was supposed to cast it rather than a hacker that compromised the phone. And adding new technology to the voting process also creates other risks, such as that hackers from adversary nations will force mobile networks offline on Election Day or overwhelm them with traffic so voters get frustrated and give up.

“There’s a remarkable consensus among the scientific community that voting on mobile apps just cannot be made secure,” Marian Schneider, president of the voting security group Verified Voting and a former state election official in Pennsylvania, told me. “Election officials are under enormous pressure right now to deliver an election where everyone can vote, but Internet voting is not the solution.” 

Sen. Ron Wyden (D-Ore.), a longtime voting security advocate who has been pushing for states to expand voting by mail during the pandemic, described mobile voting companies as “snake oil salesmen” in a statement and warned “it’s not worth risking our democracy on unproven, insecure technology.”

Voatz, one of the main mobile voting vendors, has also been pummeled by researchers who say its app contains too many vulnerabilities, and the company has battled with researchers who say it isn’t transparent enough about its security practices. 

Even Nix and other mobile-voting supporters acknowledge the systems need to develop better security protections before they're deployed more broadly and say it will be several years before they're ready to be tried across an entire state's population. Tusk also funded security reviews of the major mobile voting vendors that it shared with states and localities and that pointed out some of the security problems with the Voatz system. The cybersecurity company ShiftState Security also vetted the company Democracy Live, which will be used in the West Virginia primary

But supporters also argue there could be massive benefits to mobile voting, including raising voter turnout and making it far easier for elderly and rural people and people with disabilities to vote — and to use in situations such as now, when in-person voting is difficult for everyone. 

“We still have a lot of work to do from the technology standpoint, but I think five to 10 years from now we’ll in a better place solving a lot of these issues,” Jay Kaplan, a former National Security Agency technologist and co-founder of the cybersecurity testing company Synack, told me. “There are so many advantages in doing electronic voting that it’s important the industry rallies behind this.”

They’re also urging other technologists and election officials to start working on ensuring the systems are secure rather than criticizing them from the sidelines. 

“This technology is going to exist no matter what, so it’s important that we insert security best practices on the front end,” Andre McGregor, a former FBI cyber special agent and chief security officer at ShiftState Security, told me. “[Cybersecurity experts] should be pushing down the door saying, ‘We accept this is coming and we have to figure out how we create something that’s secure.' ” 

West Virginia Secretary of State Mac Warner (R), who’s one of the strongest state-level advocates for mobile voting, also sent a letter March 19 to Defense Secretary Mark Esper urging that the department assist in developing a mobile voting system that could be used by troops stationed abroad and warning that situations similar to the coronavirus pandemic could one day make it impossible for those troops to vote by mail. 

“If soldiers can bank electronically, shop by internet, and rely on tele-medicine, they should be able to participate in the very democracy they fight to defend by voting by mobile device,” he told Esper, according to a copy of the letter that Nix shared with me. 

Warner told me mobile voting is “an appropriate place for the federal government to be involved” and said he worried voting by mail is often too costly and burdensome for military voters overseas. 

“We should be using the power of today’s technology to make sure democracy can run smoothly,” he said.

Correction: This story has been updated to correctly describe ShiftState Security's review of the Democracy Live app. 

PINGED, PATCHED, PWNED

PINGED: Technical glitches and outdated systems could undermine the Treasury Department's plan to send coronavirus stimulus checks to millions of Americans, my colleague Tony Romm reports

The primary challenge is building a portal for millions of Americans who don't already have their bank information on file with the Internal Revenue Service so that they can receive their money. But collecting all that information in one place will be an irresistible draw for hackers, experts tell Tony. 

“We can certainly assume this website will be a target that hackers of many stripes and kinds will go after, given the amount of money being discussed here,” Tom Gann, chief public policy officer for the security company McAfee, told Tony.

The IRS also already faces numerous challenges managing its digital infrastructure. The department's inspector general slammed the IRS for its legacy systems and aged hardware, as well as its use of outdated programming languages in a September hearing.

PATCHED: Colleges are rushing to hire digital proctors to monitor student exams that must be conducted online during the coronavirus pandemic, raising serious privacy concerns, my colleague Drew Harwell reports

Many of the proctor companies retain the rights to reams of students’ personal data including their home addresses, citizenship status, medical records and biometric data, including fingerprints, facial images, voice recordings and “iris or retina scans,” Drew found. 

“Students are paying tens of thousands of dollars to have their higher-ed institutions sell them out, Bill Fitzgerald, a researcher at the nonprofit group Consumer Reports, told Drew. 

The companies all offer similar products that mix human observers with technology and monitor text-takers via webcams. But some students have said they've been falsely flagged for cheating because of innocuous behavior like looking away from the screen to solve a math problem on paper. 

Some administrators acknowledge the potential privacy implications. Chris Dayley, the director of academic testing services at Utah State University, described Proctorio as a “sort of like spyware that we just legitimize.” 

PWNED: The Zoom teleconferencing service took another hit over its security flaws yesterday, adding to a growing list of concerns unearthed during the app's rise in popularity as people work and socialize from home during the pandemic. Researchers found that hackers could access Zoom users' Mac Web camera and microphone using two newly discovered vulnerabilities Zack Whittaker at TechCrunch reports

There’s no evidence hackers have actually exploited the bugs and they would need to physically access a user's computer for both attacks. But, once they do, they could install any assortment of malware and spyware, researcher Patrick Wardle says. 

“If you care about your security and privacy, perhaps stop using Zoom, Wardle told Zack.

Zoom did not respond to TechCrunch's request for comment and has yet to issue a fix, Zack reports.

PUBLIC KEY

— Cybersecurity news from the public sector:

Senators were livid after House lawmakers left Washington without temporarily extending FISA provisions.
Politico
Pai follows Congress' orders, requires carriers to verify Caller ID accuracy.
Ars Technica
A November drill involving electric utilities across North America mimicked the disruptive malware used to cut power in Ukraine in 2016, testing operators’ ability to expunge the malicious code from their systems.
CyberScoop
Audits note poor posture and highlight weaknesses related to remote work and contractor oversight.
Nextgov

PRIVATE KEY

— The number of phishing attacks targeting Netflix users has doubled during the coronavirus pandemic, researchers at Check Point found. They're most likely after your payment method, not a Tiger King binge.

— More cybersecurity news from the private sector:

Elon Musk's rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing "significant privacy and security concerns," according to a memo seen by Reuters, days after U.S. law enforcement warned users about the security of the popular app.
Reuters

WILD WILD WEST

— Cybersecurity news from abroad:

Like other countries, COVID-19 rocked both Russia and its neighbors, with recent numbers pointing to a collective 4,375 residents across the post-Soviet states being infected by the virus.
Gizmodo
Computer hackers have attacked Italy's social security website, forcing it to shut down on Wednesday just as people were starting to apply for coronavirus benefits, the head of the welfare agency said.
Reuters

ZERO DAYBOOK

  • CyberHub USA is hosting a free virual summit: Security During Social Distancing on Thursday. You can register here.