The OmniBallot internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all internet voting systems.
There’s a very clear scientific consensus that “the Internet should not be used for the return of marked ballots” because “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” That’s from the National Academies 2018 consensus study report, consistent with May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA.
So it is no surprise that this internet voting system (Washington D.C., 2010) is insecure , and this one (Estonia 2014) is insecure, and that internet voting system is insecure (Australia 2015) , and this one (Sctyl, Switzerland 2019), and that one (Voatz, West Virginia 2020)
A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) demonstrates that the OmniBallot internet voting system from Democracy Live is fatally insecure. That by itself is not surprising, as “no known technology” could make it secure. What’s surprising is all the unexpected insecurities that Democracy Live crammed into OmniBallot–and the way that Democracy Live skims so much of the voter’s private information.
OmniBallot has three modes of use: (1) internet download of unvoted absentee ballots to print at home and mark by hand; (2) using the voter’s home computer to mark ballot selections, for printing ballots at home to be mailed back; and (3) “online voting,” which is the internet return of voted ballots as PDF files.
OmniBallot’s online voting feature (internet return of voted ballots as PDF files) “uses a simplistic approach” and “as a result, votes returned online can be altered, potentially without detection, by a wide range of parties,” including either insiders or hackers. Not surprising: this is the standard insecurity of online voting systems: hackers can steal votes (in a “scalable” way, according to the EAC/NIST/FBI/CISA report).
Surprise! Insiders at any of four private companies (Democracy Live, Google, Amazon, Cloudflare), or any hackers who manage to hack into these companies, can steal votes. That’s because Democracy Live doesn’t run its own servers–it uses all of these services in building its own product. Well, in hindsight, not so surprising–this is the way modern internet services work.
OmniBallot has a mode of use in which the voter uses her home computer to mark a ballot, then print that ballot as an optical-scan absentee ballot to be mailed in. In this mode it appears that the voter’s ballot selections (votes) are not being sent over the internet. Surprise! Even in this mode of use, the OmniBallot system “send[s] the voter’s identity and ballot selections to Democracy Live” (and Amazon).
Not a surprise: Even when OmniBallot is used only for downloading unvoted absentee ballots to print at home and mark by hand, “there are important security and privacy risks … including the risk that ballots could be … subtly manipulated in ways that cause them to be counted incorrectly.” It’s well understood that a hacker could alter the PDF file to rearrange where the fill-in-the-ovals are, so an optical-scanner would count a vote for Smith as a vote for Jones. I’ll discuss this further in the comments below.
This is shocking: it’s bad enough that companies like Cambridge Analytica gathered huge amounts of personal information on individual voters for the purposes of microtargeting disinformation–they took that data from people who made the mistake of signing up for Facebook. But the citizen who just wants to exercise their right to vote–for the State to force that voter to surrender personally identifying data to a private company with no apparent restrictions on its use–goes beyond even the Facebook scandal. No state should participate in such a scheme.
Leave a Reply