A startup called Voatz wants to build an unhackable way to vote over the internet. What could possibly go wrong?

Voting in the U.S. is an intentionally high-friction endeavor. Elections are held at in-person polling centers, open during hours when most people are working, on a day that hasn’t been made a national holiday. They’re governed by strict voter ID laws, designed to weed out imposters and in many cases succeeding mostly in disenfranchising people of color. And they’re often executed using decidedly low-tech methods—with paper ballots, susceptible to user error (never forget: hanging chads) and (accidental or deliberate) miscounts.Efficiency, some have argued, is not the point of the voting process. Security is. But this election season, West Virginia is trying out a new, blockchain-based voting system that officials hope can achieve both, simultaneously. And experts are calling it a “horrific idea.”In April, the state began asking some citizens serving in the overseas military to trade in mailed absentee ballots for digital ones, submitted through an app run by a Boston-based startup called Voatz. No one is forced to switch over to the new system, but two counties opted in for a May primary pilot, and overseas military from every county are eligible to use it for the November election. The votes will be converted into paper ballots and recorded with the other absentees. They’ll all be counted together in November.

The process itself isn’t all that complicated: Blockchain is, pared down to its simplest elements, an online database of transactions. In the context of an election, those transactions are votes; the blockchain server itself is more like a virtual ballot box and an election administrator all in one. Identities are confirmed by selfie and state-issued ID, and then double-anonymized, according to Voatz, “first by the smartphone, and second by the blockchain server network.”West Virginia is the first U.S. state to attempt a blockchain-run election of this scale. But Voatz has run more than 30 pilot elections (ranging from the 2018 MassDems Convention to student council elections) since its launch in 2015, recording more than 75,000 votes in the process. After West Virginia’s May primary pilot, “four audits of various components of the tool, including its cloud and blockchain infrastructure, revealed no problems,” CNN reported.Worldwide, trust in this new approach is growing. The Japanese city of Tsukuba became the first in the country to introduce their own version of blockchain-based voting this year, also for overseas military service members. Voters verify their identity in the system using Japan’s version of social security identifiers and weigh in not on elected officials, but on proposals for local social development programs. In Moscow, city residents can cast votes on some local municipal decisions (like street names) using a blockchain-based app called Active Citizen. Switzerland and Ukraine are trying versions this year, too.

Blockchain is being applied to voting now because it’s often considered inherently un-hackable, since its data is stored on multiple servers that all verify the authenticity of the blocks (in Voatz’ case, the votes) and copy them onto the chain of blocks that make up a blockchain. Those blocks (again, votes!) are supposed to be un-erasable—and unchangeable.

Voatz insists that their technology has been been vetted by third-party auditors, including a public HackerOne program; a pen-testing system; and the software company Security Innovation. Unlike Moscow’s Active Citizen app, which, as CityLab reported in April, has the Moscow government serving as an “authority node” and could thus be considered a tool more of propaganda than empowerment, Voatz’ system is truly decentralized: The West Virginia government doesn’t have the power to alter votes, only count them.

And unlike bitcoin’s permissionless blockchain model, which allows anyone to act as a verifier, an independent vetting process decides who can node-check for West Virginia. “Typically, these nodes would include all the stakeholders in an election such as the major political parties, NGOs, non-profits and independent auditors, etc,” reads Voatz’ FAQ. In other words, official people, not GRU hackers dialing in from their couches in Russia. (Voatz wouldn’t comment directly on this story, citing a busy pre-election season.)Still, many critics of the West Virginia blockchain-voting plan are extremely dubious of the whole idea. There’s the word blockchain, for one—a now-omnipresent but still largely mysterious technology often associated with doomed disruption projects. Also, there’s the name Voatz. It’s “the Theranos of voting!” software developer Buzz Andersen wrote on Twitter in the days after Voatz’ launch. Code for: a soon-to-be-humiliating, high-tech scam.It’s true that taking things online might seem like the least secure option for the future of voting. Election-system hackery has appeared in almost half of U.S. states, and Russian voter manipulators are mopping up indictments. (After security architect Kevin Beaumont posted a critical Twitter thread raising eyebrows at the fact that a former Voatz software developer once worked in Russia, the company released a statement saying that this staffer was just an intern who happened to be Russian.)

But others have voiced concerns about the technology itself. According to a new paper from the National Academies of Sciences, Engineering, and Medicine, Securing the Vote: Protecting American Democracy, blockchain’s vaunted security measures could kick in too late: “If malware on a voter’s device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration.”This was put a bit more simply by Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, who told CNN: “It’s internet voting on people’s horribly secured devices, over our horrible networks, to servers that are very difficult to secure without a physical paper record of the vote.”Such fears are not unique to a blockchain-based system, says Ari Juels, a professor of technology and computer science at Cornell Tech: Any internet-hosted voting platform would be similarly vulnerable. “It’s very challenging to secure users’ devices,” Juels said. “There’s a risk that even if the integrity of the voting infrastructure remains intact, users’ devices get hacked or compromised through things like spear phishing campaigns.”Voatz addresses this criticism on their website, saying they’ve gone to great lengths to ensure devices aren’t compromised in the first place. “Only certain classes of smartphones that are equipped with the latest security features are allowed to be used,” their FAQ reads.Offering more paths to voter enfranchisement for members of the military should, on its face, be a popular goal. “There is nobody that deserves the right to vote any more than the guys that are out there, and the women that are out there, putting their lives on the line for us,” West Virginia Secretary of State Mac Warner told CNN.

But fears around election security, both founded and less so, have become weapons in a larger political battle over voters’ rights and disenfranchisement. The Trump administration has consistently raised the issue of rampant voting fraud, without any evidence to support it. “[T]he lie is so mesmerizing, it takes off like a wildfire,” wrote Carol Anderson in a recent New York Times op-ed, “so that the irrational fear that someone might vote who shouldn’t means that hundreds of thousands who should can’t cast ballots.”

When it comes to devising a safe way to vote over the internet, the stakes are high: Even if only a small number of users in West Virginia’s blockchain pilot were hacked, it would potentially undermine trust in the integrity of the system of a whole. Indeed, the fear that our votes are vulnerable can work to undermine democracy almost as well as hacking itself. “The integrity of the election can be undermined,” said Juels, “because people can be attuned to anecdotes about the process being [compromised].”

This article was originally published by CityLab.