The OmniBallot, which is a product of Seattle-based tech firm Democracy Live, purports to offer "secure, accessible remote balloting for all voters" and is being used by state or county governments in Oregon, Washington, Colorado, Ohio, Florida, New Jersey and West Virginia. The company developed a number of contracts for limited Internet voting pilot programs with states earlier this year, after COVID-19 threatened to disrupt primary elections nationwide.
These programs are fairly limited in scope and largely focus on overseas voters and the disabled. However, computer science researchers say what the company really offers is an insecure platform.
The recently published report from professors Michael J. Specter, of MIT, and J. Alex Halderman, of the University of Michigan, states that the company "uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare [its partners]."
Specifically, the report claims the company has failed to provide an auditable paper trail for the electronically cast ballots. As with all electronic voting, a verifiable document of the voter's choice is always a good idea, experts argue, in the event that results need to be verified.
"At worst, attackers could change election outcomes without detection, and even if there was no attack, officials would have no way to prove that the results were accurate," the researchers said.
Despite the fact that computer scientists have long been critical of online voting as a concept, governments and technology companies have continued to show interest.
Specter and Halderman's report doubles down on the notion that online voting can never really be secure, quoting another study from the National Academies of Science, Engineering, and Medicine, which states that "no known technology guarantees the secrecy, security and verifiability of a marked ballot transmitted over the Internet."
In an email, Democracy Live President Bryan Finney noted that while there were some constructive criticisms in the report, the company's system has "never been compromised" and that the OmniBallot has been thoroughly tested by security researchers.
"The OmniBallot system was developed using ballot delivery and online ballot marking requirements specified under a U.S. Department of Defense funded ballot delivery program," said Finney. "The system and all ballots are hosted in the AWS federally-approved (Fedramp) cloud. In over a decade of deployments, the system has never been compromised."
"Shift State Security, led by a team of former FBI Cybersecurity agents, reviewed all third party penetration conducted on OmniBallot. Shift State has stated that no testing of OmniBallot resulted in compromise of the OmniBallot system," he added.