As states explore online voting, new report warns of ‘severe risk’
Connecting state and local government leaders
While the OmniBallot electronic ballot return feature “represents a severe risk to election security,” MIT researchers said, careful implementation of the system’s ballot delivery and marking solutions can help more voters participate.
As states look for alternatives to in-person voting in the event the coronavirus flares again in the fall, researchers at MIT released a report on the security of OmniBallot, an internet voting and ballot delivery system that been used by the military and overseas and disabled voters in approximately 600 jurisdictions.
The platform was developed by Democracy Live, a company providing cloud-based voting technologies, that describes its OmniBallot Online product as an electronic, fully accessible ballot solution for vote-by-mail and absentee voters as well as for those covered by the Uniformed and Overseas Citizens Absentee Voting Act. Qualified voters can use the service to print their ballots, fill them out and mail them or deliver them in person. An online ballot marking version is used by disabled voters who use it to electronically select candidates, print the completed ballot and then mail it in or deliver it. This year, however, three states are allowing some voters to use the web application to return their ballots online, MIT researchers said.
New Jersey is piloting the use of OminBallot for online voting for the disabled. West Virginia now allows disabled as well as military and overseas residents to use the service and Delaware is offering it to those who are sick, self-quarantining or social distancing to avoid exposure to COVID-19.
To analyze the platform and web app’s security primarily in the context of online ballot return, the MIT researchers reverse-engineered the client-side portion of OmniBallot and concluded that “using OmniBallot for electronic ballot return represents a severe risk to election security.” However, they said, the ballot delivery and marking solutions can help more voters participate – if they are used with specific precautions and changes.
Specifically, the researchers found that the ballot return function cannot achieve software independence or end-to-end verifiability, two criteria for secure internet voting. It also uses a number of third-party services that would allow votes returned online to be altered, potentially without detection.
“The web app runs in the browser and uses HTTPS to load files and call REST-like APIs from several domains. When voting online or marking a ballot, the app sends the voter’s identity and ballot selections to Democracy Live services running in Amazon’s cloud. The app runs JavaScript loaded from Amazon, Google, and Cloudflare, making all three companies (as well as Democracy Live itself) potential points of compromise for the election,” the report said.
The OmniBallot online ballot marking mechanism Delaware uses sends “the voter’s identity and ballot selections to Democracy Live, even when the voter opts to print the ballot and return it physically through the mail,” the report said. Even when OmniBallot is used only for delivering blank ballots, those ballots could be “misdirected or subtly manipulated,” resulting in incorrect counts, it added.
“In all modes of operation,” the report said, “Democracy Live receives a wealth of sensitive personally identifiable information: voters’ names, addresses, dates of birth, physical locations, party affiliations, and partial social security numbers.” Votes submitted online include ballot selections and a browser fingerprint, which could be used to target voters with ads or disinformation.
The researchers offer recommendations for election administrators and policymakers using OmniBallot so they can better safeguard voters’ privacy and protect the integrity of elections:
- Eliminate electronic ballot return and focus on improving ways ballots can be retuned physically, which reduces risk of large-scale manipulation.
- Limit the use of online ballot marking, offering that service only to voters who could not otherwise independently mark a ballot, which should then be printed and physically returned.
- Mark ballots using client-side code, generating marked ballots locally in the browser. This Democracy Live solution, called “Secure Select,” is already available in counties in California and Virginia, and in Washington, D.C.
- Implement risk-limiting audits to limit the probability that the election outcome differs from the outcome determined by hand counting ballots.
While not all applications of the OmniBallot platform carry the same security risk, the researchers concluded that online ballot return “represents a severe danger to election integrity and voter privacy. At worst, attackers could change election outcomes without detection, and even if there was no attack, officials would have no way to prove that the results were accurate,” the report said. “No available technology can adequately mitigate these risks, so we urge jurisdictions not to deploy OmniBallot’s online voting features.”
In February, MIT researchers conducted a similar analysis of the Voatz blockchain-secured mobile voting app and reported weaknesses that would allow hackers to "alter, stop, or expose how an individual user has voted." The app poses "potential privacy issues for users" and has limited transparency, limiting security researchers' ability to assure the apps integrity, they said.