Study finds vulnerabilities in online voting tool used by several states

Researchers with the Massachusetts Institute of Technology (MIT) and the University of Michigan found multiple security vulnerabilities in an online voting tool being used by at least three states.

The study evaluated Democracy Live’s OmniBallot, a program that Delaware, New Jersey and West Virginia are using to allow military personnel and voters with disabilities to cast ballots amid the COVID-19 pandemic. The company also previously helped provide ballots to overseas military personnel through a Department of Defense grant program. 

According to the paper published Sunday, the system opens up the voting process to a range of vulnerabilities that could lead to election interference.

“We conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection,” the researchers wrote.

The OmniBallot system consists of voters receiving step-by-step directions emailed through Democracy Live’s cloud portal, hosted by Amazon Web Services. Voters are then able to submit their ballots electronically or mail them back to state officials.

Researchers said a malware virus on a voter’s device could manipulate their ballot selections, and that Democracy Live did not do enough to protect the private information of voters from use in disinformation campaigns or targeted ads.

With the COVID-19 pandemic forcing election officials to consider new methods of voting, some states have considered moving the process online. The authors of the report cautioned against doing so, despite the increased chances of keeping voters safe while allowing disabled voters to cast their ballots.

“Increasing voter access is a laudable goal,” the researchers wrote. “Voters who are sick, disabled, or stationed overseas sometimes face substantial obstacles to participation, and the coronavirus pandemic threatens to disrupt in-person voting for everyone. However, elections also face substantial risks from cyberattacks — risks that are magnified when delivering or returning ballot online.”

J. Alex Halderman, a professor of computer science and engineering at the University of Michigan and a co-author of the report, tweeted Sunday that voters should mail their ballots instead, an option that both Democracy Live and many states are offering during the pandemic.

“Bottom line: OmniBallot’s ballot delivery and marking can be valuable tools for helping voters participate *if* officials take precautions we suggest,” Halderman tweeted. “Online voting, however, is a severe danger to election integrity and privacy, and we urge jurisdictions not to deploy it.”

Democracy Live CEO Bryan Finney pushed back against the report’s findings, telling The Hill in a statement that “the report did not find any technical vulnerabilities in OmniBallot. The authors take issue with online technologies in general relating to the transmission of ballots. The report does note that OmniBallot has been used primarily for voters with disabilities, or voters who cannot vote in person such as those stationed overseas in the military.”

Finney did agree with findings that Democracy Live should be more transparent about it privacy policy, and vowed to add a “vote verification tool” to future OmniBallot systems to further secure votes. 

However, Finney defended expanding options to vote beyond in-person and through the mail, highlighting concerns over disabled voters. 

“With the growth of paper vote by mail ballots, it highlights the disparity between those that can see, hold and mark a ballot and those that cannot due to disabilities, or may not have access to a paper ballot,” Finney said. “OmniBallot was designed to ensure that those that are disenfranchised from voting a traditional paper ballot are able to securely and independently able to vote. Democracy Live welcomes all responsible collaboration from interested stakeholders to ensure neither accessibility nor security is sacrificed for the other.”

The concerns over Democracy Live’s voting system come months after MIT researchers published a separate paper detailing cyber vulnerabilities in Voatz, a voting app that was used in multiple states during the 2018 midterm elections. Among the vulnerabilities discovered was the ability to change the votes.

Experts have raised concerns about any type of online voting as election officials have considered this option during the COVID-19 pandemic. Multiple federal agencies sent a private warning to states in May describing online voting as “high risk” and creating “significant security risks to voted ballot integrity, voter privacy, ballot secrecy, and system availability.”

-Updated at 10:10 a.m.