July 13, 2020

Democracy Live internet voting: unsurprisingly insecure, and surprisingly insecure

The OmniBallot internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all internet voting systems.

There’s a very clear scientific consensus that “the Internet should not be used for the return of marked ballots” because “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” That’s from the National Academies 2018 consensus study report, consistent with May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA.

So it is no surprise that this internet voting system (Washington D.C., 2010) is insecure , and this one (Estonia 2014) is insecure, and that internet voting system is insecure (Australia 2015) , and this one (Sctyl, Switzerland 2019), and that one (Voatz, West Virginia 2020)

A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) demonstrates that the OmniBallot internet voting system from Democracy Live is fatally insecure. That by itself is not surprising, as “no known technology” could make it secure. What’s surprising is all the unexpected insecurities that Democracy Live crammed into OmniBallot–and the way that Democracy Live skims so much of the voter’s private information.

OmniBallot has three modes of use:  (1) internet download of unvoted absentee ballots to print at home and mark by hand; (2) using the voter’s home computer to mark ballot selections, for printing ballots at home to be mailed back; and (3) “online voting,” which is the internet return of voted ballots as PDF files.  

OmniBallot’s online voting feature (internet return of voted ballots as PDF files) “uses a simplistic approach” and “as a result, votes returned online can be altered, potentially without detection, by a wide range of parties,” including either insiders or hackers. Not surprising: this is the standard insecurity of online voting systems: hackers can steal votes (in a “scalable” way, according to the EAC/NIST/FBI/CISA report).

Surprise! Insiders at any of four private companies (Democracy Live, Google, Amazon, Cloudflare), or any hackers who manage to hack into these companies, can steal votes. That’s because Democracy Live doesn’t run its own servers–it uses all of these services in building its own product. Well, in hindsight, not so surprising–this is the way modern internet services work.

OmniBallot has a mode of use in which the voter uses her home computer to mark a ballot, then print that ballot as an optical-scan absentee ballot to be mailed in. In this mode it appears that the voter’s ballot selections (votes) are not being sent over the internet. Surprise! Even in this mode of use, the OmniBallot system “send[s] the voter’s identity and ballot selections to Democracy Live” (and Amazon). 

Not a surprise: Even when OmniBallot is used only for downloading unvoted absentee ballots to print at home and mark by hand, “there are important security and privacy risks …  including the risk that ballots could be … subtly manipulated in ways that cause them to be counted incorrectly.” It’s well understood that a hacker could alter the PDF file to rearrange where the fill-in-the-ovals are, so an optical-scanner would count a vote for Smith as a vote for Jones. I’ll discuss this further in the comments below.

And finally, Surprise! “In all modes of operation, Democracy Live receives a wealth of sensitive personally identifiable information: voters’ names, addresses, dates of birth, physical locations, party affiliations, and partial social security numbers. When ballots are marked or returned online, the company also receives voters’ ballot selections, and it collects a browser fingerprint during online voting. This information would be highly valuable for political purposes or for election interference, as it could be used to target ads or disinformation campaigns based on the voter’s fine-grained preferences. Nevertheless, OmniBallot has no posted privacy policy, and it is unclear whether there are any effective legal limitations on the company’s use of the data.

This is shocking: it’s bad enough that companies like Cambridge Analytica gathered huge amounts of personal information on individual voters for the purposes of microtargeting disinformation–they took that data from people who made the mistake of signing up for Facebook. But the citizen who just wants to exercise their right to vote–for the State to force that voter to surrender personally identifying data to a private company with no apparent restrictions on its use–goes beyond even the Facebook scandal. No state should participate in such a scheme.


  1. Andrew Appel says:

    Democracy Live has a mode in which the voter downloads the PDF of an optical-scan absentee ballot; then the voter can print it out at home, mark it with a pen, and mail it to their local election administrator (or return it physically by other means, like bringing it to a drop box or a vote center). In principle, this is lower risk than the return of voted ballots by Internet, because there’s no opportunity for an Internet-based hacker to alter the marks on the paper.

    But there are still risks. If hackers could penetrate the server, or penetrate large numbers of voters’ computers, they can alter the PDF file to switch the positions of candidates Smith and Jones–so when the voter marks the oval by “Smith”, the optical scanner (which reads the positions of the ovals, not the names next to them) thinks it is a vote for Jones.* This hack could, in principle, be detected and corrected by a Risk-Limiting Audit — but only if the jurisdiction actually does an RLA.

    Other risks, with voter download-and-print of PDF ballots, is that the voter’s home printer does not have appropriate print quality, or appropriate high-quality paper stock, for the ballot to be read accurately by the central-count optical scanner. In such cases, election administrators must “re-make” the ballot by copying the votes, by hand, onto preprinted optical-scan forms. In this process there is room for error, or fraud; so this “re-making” must be done by teams of at least two, which is very labor-intensive.

    Finally, in most jurisdictions the preprinted absentee ballots are mailed out accompanied by nested return envelopes: the outer envelope has the voter’s identifying information, and the inner envelope preserves the secrecy of the ballot. This is impractical with print-at-home ballots.

    Thus, election administrators should strongly prefer preprinted optical-scan ballots, mailed to voters with appropriate envelopes; internet download of ballots should be used only as a last resort, and only for those voters for whom it is absolutely necessary.

    *Tampering with oval placement is also possible with officially preprinted optical-scan ballots, but there the attack surface is much smaller. It is still a risk that requires protection, via Risk-Limiting Audits, but not nearly as large a risk as with internet-downloaded ballots.

    • Andrew Appel says:

      And furthermore, even though internet-download-unvoted-PDF-ballot is “lower risk” than the extremely high risk of internet ballot return, Democracy Live does it in a way that severely and needlessly grabs substantial amounts of personal information from the voter. That is unacceptable.