An online ballot delivery and voting service called OmniBallot has security weaknesses on several levels, according to a research paper published Sunday by computer scientists from MIT and the University of Michigan. The paper, first reported on by The New York Times, says software maker Democracy Live leaves ballots vulnerable to manipulation, collects sensitive voter information and fails to control marked ballots as they travel across the internet.
As a result, the company can't verify there has been no manipulation along the way, the paper concludes.
The findings don't include specific software vulnerabilities, but instead conclude that the process for delivering ballots and receiving back votes could be too easily manipulated. One source of weakness comes from the software's reliance on third-party software and services from companies including Amazon, Google and Cloudflare, which Democracy Live doesn't control.
"We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter's device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare," researchers said in the paper.
Finally, Democracy Live emphasized that its technology was designed for people with disabilities, for whom holding, reading and marking a paper mail-in ballot may not be an option.
"No technology is bulletproof," Democracy Live CEO Bryan Finney told The New York Times. "But we need to be able to enfranchise the disenfranchised."
The research highlights the problems surrounding online voting, which cybersecurity experts and the US Department of Homeland Security say presents a high risk for hacking and manipulation. The findings also come at a time of heightened debate over voting by mail and the best way to handle elections while minimizing the spread of COVID-19. Voter fraud is very rare in the United States, including in states that run elections entirely with vote-by-mail ballots. While there have been some examples of fraud schemes carried out with vote-by-mail ballots, these are typically noticeable and easy to catch, experts have found.
Three states recently said they would use OmniBallot.
The researchers were able to find URLs for voting services in seven states and 98 smaller localities within 11 additional states, including a county conservation district in the state of Washington previously reported to have used an .
The kinds of voters who can access online ballots vary from state to state. Groups that can use the online voting system can include people who are overseas, people with disabilities or people who are sheltering in place due to the coronavirus pandemic.
OmniBallot works on voters' web browsers, the researchers found. Voters verify their identities and receive a PDF of their ballot. Depending on their location, voters may be able to either print a blank ballot, mark the ballot electronically and then print it to fax it or mail it in, or mark the ballot and then submit it online.