BU Law Students Aid MIT Researchers in Releasing Report on Vulnerabilities in 2020 Election Voting App

The BU/MIT Technology Law Clinic advised on the legal and ethical considerations of the research and worked with the researchers to disclose their findings.

Technology Law Clinic Director Andy Sellars
Technology Law Clinic Director Andy Sellars | Photo by Dan Watkins for Boston University Photography

With support from the BU/MIT Technology Law Clinic at Boston University School of Law, today two MIT graduate students and an MIT Principal Research Scientist published new research documenting cybersecurity vulnerabilities found in a mobile application being used in some voting districts during this year’s elections. The New York Times published an article describing the research. As Matthew Rosenberg at the Times writes, the researchers “go beyond speculation and detail how they found serious security issues by reverse-engineering Voatz’s app and recreating what they could of the company’s server from publicly available information.”

The BU/MIT Technology Law Clinic advised on the legal and ethical considerations of the research and worked with the researchers to disclose their findings to affected election officials and the application’s creator, Voatz Inc., through the Cybersecurity and Infrastructure Security Agency, a federal agency created in 2018 that helps coordinate information about digital vulnerabilities.

The research was conducted by MIT PhD students Michael A. Specter and James Koppel, along with Daniel Weitzner, director of MIT’s Internet Policy Research Initiative.

 “Without the Technology Law Clinic’s fantastic advice, patience, and effort this paper would never have been released,” Specter says. “We are eternally grateful to the clinic’s students and faculty for helping us get this research to the public.”

BU Law students John Dugger (’21), Quinn Heath (’21), and Eric Pfauth (’20) assisted the researchers under the direction of Andy Sellars, the clinic’s director, and Visiting Clinical Assistant Professor Tiffany C. Li. Sellars and Li both have experts in matters related to the intersection between law and technology.

 “Working with Mike, James, and Danny to share this important information with the public has been an exhilarating experience,” Pfauth says. “It is encouraging to work with student researchers whose passion for security and accountability not only led them to contact us for help with responsible disclosure but also informed their research from its inception.”

The research adds to ongoing national discussions around the technology being used to facilitate elections and how such systems can fail or be tampered with. As their paper demonstrates, the researchers were able to disable many of the security features on the Voatz application and monitor internet traffic coming from the application in ways that may allow a malicious actor to change or disable votes, see how a user voted, or tamper with the election results as they arrive at the company’s server. The researchers believe reliable and secure elections are essential to democracy, and that increasing access to the polls through mobile voting technology is ineffective if it is not done in a way that guarantees a vote’s accuracy and security.

The BU/MIT Technology Law Clinic was established through a partnership between BU Law and MIT to provide students at both schools with legal assistance regarding technology research and innovation. Law students at BU advise clients in areas including data privacy, cybersecurity, intellectual property, and media law.


Related News