August 6, 2020

Democracy Live internet voting: unsurprisingly insecure, and surprisingly insecure

The OmniBallot internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all internet voting systems.

There’s a very clear scientific consensus that “the Internet should not be used for the return of marked ballots” because “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” That’s from the National Academies 2018 consensus study report, consistent with May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA.

So it is no surprise that this internet voting system (Washington D.C., 2010) is insecure , and this one (Estonia 2014) is insecure, and that internet voting system is insecure (Australia 2015) , and this one (Sctyl, Switzerland 2019), and that one (Voatz, West Virginia 2020)

A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) demonstrates that the OmniBallot internet voting system from Democracy Live is fatally insecure. That by itself is not surprising, as “no known technology” could make it secure. What’s surprising is all the unexpected insecurities that Democracy Live crammed into OmniBallot–and the way that Democracy Live skims so much of the voter’s private information.

OmniBallot has three modes of use:  (1) internet download of unvoted absentee ballots to print at home and mark by hand; (2) using the voter’s home computer to mark ballot selections, for printing ballots at home to be mailed back; and (3) “online voting,” which is the internet return of voted ballots as PDF files.  

OmniBallot’s online voting feature (internet return of voted ballots as PDF files) “uses a simplistic approach” and “as a result, votes returned online can be altered, potentially without detection, by a wide range of parties,” including either insiders or hackers. Not surprising: this is the standard insecurity of online voting systems: hackers can steal votes (in a “scalable” way, according to the EAC/NIST/FBI/CISA report).

Surprise! Insiders at any of four private companies (Democracy Live, Google, Amazon, Cloudflare), or any hackers who manage to hack into these companies, can steal votes. That’s because Democracy Live doesn’t run its own servers–it uses all of these services in building its own product. Well, in hindsight, not so surprising–this is the way modern internet services work.

OmniBallot has a mode of use in which the voter uses her home computer to mark a ballot, then print that ballot as an optical-scan absentee ballot to be mailed in. In this mode it appears that the voter’s ballot selections (votes) are not being sent over the internet. Surprise! Even in this mode of use, the OmniBallot system “send[s] the voter’s identity and ballot selections to Democracy Live” (and Amazon). 

Not a surprise: Even when OmniBallot is used only for downloading unvoted absentee ballots to print at home and mark by hand, “there are important security and privacy risks …  including the risk that ballots could be … subtly manipulated in ways that cause them to be counted incorrectly.” It’s well understood that a hacker could alter the PDF file to rearrange where the fill-in-the-ovals are, so an optical-scanner would count a vote for Smith as a vote for Jones. I’ll discuss this further in the comments below.

And finally, Surprise! “In all modes of operation, Democracy Live receives a wealth of sensitive personally identifiable information: voters’ names, addresses, dates of birth, physical locations, party affiliations, and partial social security numbers. When ballots are marked or returned online, the company also receives voters’ ballot selections, and it collects a browser fingerprint during online voting. This information would be highly valuable for political purposes or for election interference, as it could be used to target ads or disinformation campaigns based on the voter’s fine-grained preferences. Nevertheless, OmniBallot has no posted privacy policy, and it is unclear whether there are any effective legal limitations on the company’s use of the data.

This is shocking: it’s bad enough that companies like Cambridge Analytica gathered huge amounts of personal information on individual voters for the purposes of microtargeting disinformation–they took that data from people who made the mistake of signing up for Facebook. But the citizen who just wants to exercise their right to vote–for the State to force that voter to surrender personally identifying data to a private company with no apparent restrictions on its use–goes beyond even the Facebook scandal. No state should participate in such a scheme.

Emergency Motion to Stop Internet Voting in NJ

with Penny Venetis

On May 4th, 2020 a press release from announced that New Jersey would allow online voting in a dozen school-board elections scheduled for May 12th. On May 11, the Rutgers International Human Rights Clinic filed an emergency motion to stop internet voting in New Jersey. During a conference on May 18 with Superior Court Judge Mary Jacobson, the State notified the court that it had abandoned its plans to use internet voting for the upcoming July 7 primary election. 

The Clinic, led by Rutgers Law School professor Penny Venetis, argued that the Democracy Live online voting system (that New Jersey planned to use) violated a broad court order issued in March 2010 by Judge Linda Feinberg.  That order was issued in the Clinic’s case Gusciora v. Corzine, which challenged paperless voting machines as unconstitutional.  

The March 2010 court order stated clearly and unequivocally that no part of any New Jersey voting system could be connected to the internet, under any circumstance.  New Jersey has a continuing obligation to ensure that the order is followed, and that all voting-related software is “hardened” on a regular basis.

Democracy Live’s voting portal permits voters to transmit their cast ballot, via the internet, to county election officials, for tabulation.  Despite the state’s assertions to the contrary, it is an internet-based system that violates the 2010 order in Gusciora.  Princeton Professor Andrew Appel filed a certification (for the emergency motion) discussing the overwhelming scientific consensus that internet based voting is insecure.  The IHR Clinic also provided the court with scientific reports, a US Department of Homeland Security report, and a letter from the US House of Representatives Homeland Security Committee.  Those documents all discussed the insecurity of the Democracy Live system (or any system with online ballot return).  Susan Greenhalgh of Free Speech for People, participated in negotiations with the State.  The Washington Post covered the lawsuit favorably on May 14th.  Common Cause, the Brennan Center, and Verified Voting wrote New Jersey Governor Phil Murphy on May 15th, in support of the IHR Clinic’s position.  

In the hearing on May 18th with Judge Jacobson, the State agreed not to use online voting in the July 7th primary elections, but did not commit to abandoning Democracy Live’s online portal for the November 2020 Presidential election.

Judge Jacobson ordered the IHR Clinic and the NJ Attorney General’s office to file a joint document by June 8, 2020 that lays out the resolution of the May 11th court filing.    As a result, the court will keep the IHR Clinic’s matter open, in the event it needs to issue a ruling to enforce the 2010 order that bans internet use for voting in New Jersey.

Fair Elections During a Crisis

Even before the crisis of COVID-19, which will have severe implications for the conduct of the 2020 elections, the United States faced another elections crisis of legitimacy: Americans can no longer take for granted that election losers will concede a closely fought election after election authorities (or courts) have declared a winner.

Along with two dozen other scholars (in Tech, Law, Political Science, and Media), I joined an ad-hoc working group convened by Professor Rick Hasen of the U.C. Irvine Law School, to make recommendations on steps that American election administrators (and others) can take this year to deal with these two overlapping crises. Our report has just been released:

Fair Elections During a Crisis: Urgent Recommendations in Law, Media, Politics, and Tech to Advance the Legitimacy of, and the Public Confidence in, the November 2020 U.S. Elections.

We make 14 specific recommendations. In Law: regarding absentee ballots, emergency plans, COVID-19, vote-counting dispute-resolution protocols. Media: how media can provide accurate information to voters about the election process, expectations for timing of election results (slower this year than before). Politics and Norms: Funding for COVID-19 costs, bipartisan Election Crisis Commission, principles for fair elections, responsibilities of social media. Tech: paper ballots and audits, resilient election infrastructure, .gov domains for election officials, monitoring and auditing of voter-registration databases.