Bad security design mars OmniBallot online voting system, report says

Several states and localities are customers of the online voting service, according to researchers from MIT and University of Michigan.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

A worker disinfects a voting booth at a polling station specially equipped to deal with the coronavirus pandemic in Baltimore for a special election in April. The pandemic has some states expanding online voting access, but researchers said Sunday the program used was not secure enough.

Getty Images

An online ballot delivery and voting service called OmniBallot has security weaknesses on several levels, according to a research paper published Sunday by computer scientists from MIT and the University of Michigan. The paper, first reported on by The New York Times, says software maker Democracy Live leaves ballots vulnerable to manipulation, collects sensitive voter information and fails to control marked ballots as they travel across the internet.

As a result, the company can't verify there has been no manipulation along the way, the paper concludes.

The findings don't include specific software vulnerabilities, but instead conclude that the process for delivering ballots and receiving back votes could be too easily manipulated. One source of weakness comes from the software's reliance on third-party software and services from companies including Amazon, Google and Cloudflare, which Democracy Live doesn't control.

"We fi nd that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter's device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare," researchers said in the paper.

Additionally, the researchers didn't find a privacy policy explaining how Democracy Live would protect users' identities, votes and technical data that can identify them online.

In response to the report, Democracy Live told CNET it plans to make its privacy policy available on its ballot portal for voters to see. Democracy Live will also offer a vote verification tool in all future deployments of its system. The company also said that, while the researchers say voters shouldn't be given the option to return marked ballots electronically, the majority of states require vendors like Democracy Live to provide this option. The OmniBallot electronic return system is more secure than using email attachments or a fax system to return ballots, which are other options voters are given, the company said.

Finally, Democracy Live emphasized that its technology was designed for people with disabilities, for whom holding, reading and marking a paper mail-in ballot may not be an option.

"No technology is bulletproof," Democracy Live CEO Bryan Finney told The New York Times. "But we need to be able to enfranchise the disenfranchised."

The research highlights the problems surrounding online voting, which cybersecurity experts and the US Department of Homeland Security say presents a high risk for hacking and manipulation. The findings also come at a time of heightened debate over voting by mail and the best way to handle elections while minimizing the spread of COVID-19. Voter fraud is very rare in the United States, including in states that run elections entirely with vote-by-mail ballots. While there have been some examples of fraud schemes carried out with vote-by-mail ballots, these are typically noticeable and easy to catch, experts have found.

Three states recently said they would use OmniBallot.

The researchers were able to find URLs for voting services in seven states and 98 smaller localities within 11 additional states, including a county conservation district in the state of Washington previously reported to have used an online voting system to boost voter turnout.

The kinds of voters who can access online ballots vary from state to state. Groups that can use the online voting system can include people who are overseas, people with disabilities or people who are sheltering in place due to the coronavirus pandemic.

OmniBallot works on voters' web browsers, the researchers found. Voters verify their identities and receive a PDF of their ballot. Depending on their location, voters may be able to either print a blank ballot, mark the ballot electronically and then print it to fax it or mail it in, or mark the ballot and then submit it online.

See also: Elections amid coronavirus: How officials aim to keep voters safe

Watch this: Microsoft wants to make voting machines safer from hackers. (The Daily Charge, 2/18/2020)