We are grateful to the Voting Village for championing an inclusive “safe mode” DefCon experience this year. Today, inclusivity within the hacker community—just as we’re seeing across the country—is more important than ever. Our shared goals, too, are more important than ever.
We’re particularly glad to be part of this gathering. It’s really good to see you, and good to be seen.
We’d like to spend a few moments, now that we are all together, to reaffirm our commitment to this community, to establish a path forward that ensures we have a standard for working together, and finally, to clarify and pose a question to this community around misconstrued information for which we take responsibility for not clearing up sooner.
We recognize and acknowledge that many have been upset with us—even outraged. We appreciate we’re operating in a critical space and don’t take lightly the pressures from all sides of the aisle.
Some people don’t like what we’re trying to do—straight up. Some are upset because we require voters to provide an ID for verification. Some say our work is not secure, some say we aren’t transparent. Some—though maybe implicitly—don’t like what we do because our work would allow more people to vote. Some have called us a threat to democracy.
We hear you. We recognize you care about our democracy. As participants in this space, we are grateful for your voice and participation. We recognize it is critical to have differing opinions, and healthy debate.
We will be the first in line to say we are not perfect—just like the United States’ current voting system isn’t perfect. We are sure we could have navigated situations with better clarity in the past.
We are here for an important reason, and we are firmly committed to doing better, each and every day, in service of our mission—that those who are disenfranchised with their current voting options—whether military, overseas or disabled voters—have access to a safe, secure, verifiable method of voting. In our view, and we hope yours too, email, fax, and postal mail simply do not cut it for these groups. They are neither reliable or secure and for some, they violate their right to a private ballot.
In light of our mission, we must say this—our ability to collaborate with you all is critical.
A Code of Conduct for Elections
We believe the Voting Village at DefCon is an opportunity to create a pathway for this collaboration, where inclusivity and a code of ethics are clearly outlined. We look forward to being part of the conversation with you, and we’re curious about what we all, collectively, can learn from the Voting Village’s Code of Conduct as a model for how we might govern election platforms, election officials, and researchers to avoid miscommunication and misinformation.
In the end, it is up to all of us to set and maintain a standard.
Finally, we’d like to address the situation that has pitted a few passionate voices against us because, respectfully, it is a textbook case of misreporting and repetition escalated into a dangerous environment of misinformation and mistrust.
The 2018 Attempted Intrusion: What Happened
First, we’d like to lead with the fact that we have never reported anyone to the FBI, nor to any law enforcement.
Here’s what happened: an attempted hack was made during the West Virginia midterm election in October 2018. The Voatz system was being used to service the state’s deployed military voters, their families, and overseas citizens.
The attempt was identified and blocked, and we reported the activity to the West Virginia state elections team as per standard and required protocols. We did not report anyone to the FBI, nor to any law enforcement. This is not our role.
For context, election infrastructure in the U.S. is designated by the DHS as “critical infrastructure”, along with 15 other sectors, which makes any tampering and interference a federal crime. There are established procedures for reporting any attempts made on critical infrastructure.
The actor(s) who made the attempt in 2018 had not registered for our public bug bounty program, nor used the test system available on the bug bounty program. They did not reach out to us to indicate that their activities were in good faith, and they performed activities that were indistinguishable in terms of a malicious or well-intentioned user.
As stewards of critical infrastructure, authorities in West Virginia called upon the US Attorney’s Office and held a press conference to issue their report on the attack, resulting in an FBI investigation. At this event, United States Attorney Mike Stuart issued a strong statement emphasizing the seriousness of election security.
Voatz does not doubt that the actors may have made some assumptions that led them to believe that attacking a live election system may have been permissible. As per the United States Attorney Mike Stuart’s statement, this is not allowed.
One of our core operating principles is to consistently monitor, assess, and report on all aspects of the development and piloting process of our platform. That means reporting all attempts to our client (the jurisdiction). Failing to report a threat to the (jurisdiction) would be an oversight as a company entrusted to ensure that ballots are delivered securely.
There have also been claims that our bug bounty program in use at that time was retroactively updated. To be clear, this is false. All updates were recorded by the public bug bounty system, and there is no way for bug bounty terms to be retroactively applied or updated without showing the update timestamps, or for them to appear in its change history.
Despite this statement and our efforts to clear the misinformation, we are fully aware of the suspicion against us and that some, no matter the facts, will not accept them—this is the nature of the current media landscape. Our commitment is that we will continue to be available for those who wish to collaborate with us.
Conclusion & Call to Action
Finally, we’d like to end with an open call. This space, as you all well know, is inherently complex. We’d like to invite you into an open dialogue around how you might consider the roles of all participating parties in our critical infrastructure—whether election officials, cybersecurity experts, or voting technology providers. It will take all of us the ability to work together to ensure the security of this very critical infrastructure.
It is abundantly clear that we have the same goal—protecting voters and their ability to participate in our democracy—and we all must be able to enter into dialogue. How should we work together for that goal? We firmly believe that we must move forward to expand more secure options beyond mail-in voting, email, and fax, and we need to do that as a community. Taking a cue from this Voting Village, what should our “Code of Conduct” be for working together and paving a path forward to secure our elections?
We would love to hear from you, whether in the form of participating in our bug bounty program, or with your thought and feedback sent to the email ID (cos at voatz dot com), where you can reach us with follow-up reflections and questions. We will respond in private (if you prefer), or publish responses and questions post DefCon.
We welcome your feedback and look forward to collaborating—and, truly, thank you for welcoming us.