In a letter to ShiftState Security Chief Security Officer Andre McGregor, Sen. Ron Wyden, D-Ore., challenged the results of an audit ShiftState was supposed to have conducted of the Voatz voting app.
Sen. Wyden makes mention that “ShiftState and Voatz have not published the audit, and Voatz has refused to provide [him] with a copy.”
“Voatz’s high marks from ShiftState stand in sharp contrast to the failing grade it received in a recent audit by cybersecurity researchers at the Massachusetts Institute of Technology (MIT),” Sen. Wyden wrote.
The report to which Sen. Wyden refers is one where MIT researchers identified security vulnerabilities in Voatz and said that hackers could compromise the app to alter individual apps in addition to privacy issues.
Sen. Wyden says that “several” state officials have mentioned the ShiftState audit as a validation to continue using the Voatz app, but cautioned that “any comprehensive audit should have found the alarming flaws discovered by the MIT team.”
The Oregon senator requested that McGregor provide information on the following by March 9:
- The number of ShiftState personnel that audited Voatz with experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security.
- Whether ShiftState discovered the same flaws as the MIT Team and explain why they didn’t or, if they did, explain why they told press that Voatz still did well on the audit.
- Explain whether ShiftState disagrees with the findings of MIT and explain why, if so.