Researchers say online voting tech used in 5 states is fatally flawed

[Karlston]

Researchers say online voting tech used in 5 states is fatally flawed

Elections in five states have used or plan to use OmniBallot's online voting tech.

Enlarge / Voting machines are shown at a polling location on June 9, 2020 in West Columbia, South Carolina.

Sean Rayford/Getty Images

104 with 49 posters participating, including story author

OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states—West Virginia, Delaware, and New Jersey—have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT's Michael Specter and the University of Michigan's Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity.

 

Democracy Live, the company behind OmniBallot, defended its software in an email response to Ars Technica. "The report did not find any technical vulnerabilities in OmniBallot," wrote Democracy Live CEO Bryan Finney.

 

This is true in a sense—the researchers didn't find any major bugs in the OmniBallot code. But it also misses the point of their analysis. The security of software not only depends on the software itself but also on the security of the environment on which the system runs. For example, it's impossible to keep voting software secure if it runs on a computer infected with malware. And millions of PCs in the United States are infected with malware.

 

The issue has particular urgency right now because the ongoing COVID-19 pandemic is forcing election officials to make significant changes to election procedures. Right now, most jurisdictions using the OmniBallot software don't use its "electronic ballot delivery" feature. But enabling the feature would require little more than a configuration change. There's a risk that election officials, under pressure to make remote voting easier, will decide to enable the software's online voting feature for this November's general election.

How OmniBallot works

Experimenting with a live election system would be unethical and likely illegal. Instead, Specter and Halderman obtained a copy of the OmniBallot software, reverse-engineered it, and then created new server software that mimicked the behavior of the real server. This allowed them to experiment with the software without risking interference with a real election.

 

OmniBallot offers a number of different capabilities that state election officials have the option to offer to voters. The most basic is a blank ballot delivery feature that will provide a voter with a PDF ballot that can be printed out and mailed back to the polling place.

 

Jurisdictions can also offer a ballot-marking feature, which will mark a ballot on the voter's behalf before it's printed out. This can enable blind voters to fill out a ballot independently. It can also prevent overvotes (voting for two or more candidates) and warn voters about undervotes (failing to vote in a race).

 

But Specter and Halderman argue that this capability comes with some added risks. Malicious software could be programmed to switch votes some fraction of the time. Theoretically, voters are supposed to check that the votes are correct before mailing in their ballot, but research suggests voters are lax about doing so. One study by Halderman and others found that only 6.6 percent of voters in a realistic mock election reported a changed vote to election supervisors.

 

By default, the software generates the marked ballot PDF on an OmniBallot server, not on the user's own device. This creates an unnecessary risk to the privacy of the voter's ballot, Specter and Halderman argue, since it means that Democracy Live gets an unnecessary copy of the voter's votes.

 

Fortunately, Democracy Live also offers an option for client-side ballot marking. Andrew Appel, a computer scientist at Princeton, told Ars that this option was added at the insistence of California officials who objected to server-side ballot marking. When this option is chosen by election administrators, the ballot is marked on the user's own device, without sharing the data with Democracy Live's servers. The computer scientists recommend that all jurisdictions using OmniBallot's ballot marking feature switch to the client-side version of the software.

The problems with online voting

While there are some security concerns with ballot-marking software, the researchers say that these problems pale in comparison to security vulnerabilities of OmniBallot's "electronic ballot delivery" system.

 

The fundamental problem is that the complexity and opacity of online voting systems creates numerous opportunities for a hacker to tamper with a ballot during the submission process. Malware on the client device could modify the ballot before it's transmitted to Democracy Live's servers. OmniBallot is built on Amazon Web Services using JavaScript libraries delivered by Google and Cloudflare. So hackers or malicious insiders at any of these companies could potentially alter ballots if they had access to one of these companies' systems.

 

And the nature of online voting means there's no reliable way for a voter to verify that a ballot was transmitted correctly. Software engineers have developed theoretical designs for voting systems with end-to-end security. These systems use sophisticated cryptography to enable voters to cryptographically verify that their vote has been counted correctly. But Democracy Live doesn't do anything like that. In their paper, Specter and Halderman describe how an attacker could exploit the lack of end-to-end verification.

 

"The web app would show a ballot containing the selections the voter intended, but the ballot that got cast would have selections chosen by the attacker," they write. "The attack would execute on the client, with no unusual interactions with Democracy Live, so there would be no way for the company (or election officials) to discover it."

Auditing doesn’t fix the problem

Democracy Live conducts post-election audits using Amazon's AWS CloudTrail software to verify that no Democracy Live employees abused their access to company servers. These checks could detect some forms of election tampering, but Specter and Halderman point out that they are far from foolproof.

 

These methods wouldn't detect any attacks executed from the client side. If malware on a user's PC modified the user's ballot before sending it to Democracy Live's servers, that wouldn't show up in the CloudTrail logs. If someone with access to Google or Cloudflare servers delivered malicious JavaScript libraries to OmniBallot users, that wouldn't show up in AWS logs. Someone with administrative access to Amazon's servers might be able to modify Democracy Live's software in a way that wouldn't show up in the logs.

 

Of course, most of these attacks wouldn't be trivial to pull off. Google, Amazon, and Cloudflare are three of the most sophisticated software companies in the world and take elaborate precautions to defend their systems. The audit I linked to above is from an election for the King County Conservation District. It's farfetched that anyone would go to so much trouble to attack such a low-stakes election.

 

But sophisticated attacks would become far more plausible if the software were used to elect members of Congress and even the president. In that case, we can imagine foreign governments like Russia or China being willing to invest significant resources to compromise election results in a way that's difficult to detect. We don't know the full extent of these countries' offensive capabilities, of course. But it's reasonable to think that they'd be able to compromise OmniBallot's software in ways that wouldn't be revealed in a post-election audit.

 

To be fair to Democracy Live, the issues the researchers highlighted aren't unique to the OmniBallot software. Rather, there's an overwhelming consensus among computer security experts that Internet-based voting is a bad idea in general. Halderman and Specter cite a 2018 report from the National Academies of Sciences, Engineering, and Medicine that found that "no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet."

 

States face pressure over online voting

Most states have heeded the experts' warnings and shied away from online voting. But a few have pushed forward, drawing the ire of computer security researchers in the process.

 

One area of active conflict is New Jersey, where Princeton University is located. The university is the home of several computer scientists who have studied the security of voting systems. Halderman got his PhD from Princeton. Appel, a Princeton professor, has been locked in litigation with the state for more than a decade over security problems with electronic voting machines. (I studied under Appel and worked with Halderman as a Princeton grad student between 2008 and 2011.)

 

Way back in 2004, Appel sued the state of New Jersey over its use of electronic voting machines Appel argued were insecure. As part of a 2010 settlement in that case, the state promised not to connect any voting machine to the Internet.

 

"As long as computers, dedicated to handling election matters, are connected to the Internet, the safety and security of our voting systems are in jeopardy," Judge Linda Feinberg wrote in a 2010 order.

 

So when New Jersey announced plans to use Democracy Live's online voting feature last month for some local school board elections, they were sued again for violating the order.

Jersey changes its mind

The state has now backed down from plans to use the technology in New Jersey's July primary. In a Monday phone interview with Ars Technica, a spokeswoman for New Jersey Secretary of State Tahesha Way said the state hadn't started talking publicly about what voting technology it would use for the general election in November.

 

In an email to Ars Technica, Christine Walker, an election official in Jackson County, Oregon, described her jurisdiction's use of the OmniBallot electronic return feature as a "pilot program" and stressed that it was offered only to military voters stationed overseas.

 

"I understand and share the security concerns of any new technology and will continue to collaborate at the highest level to ensure that all US Citizens who qualify to vote have the opportunity to access their ballot and that their vote will be counted," Walker wrote.

 

We emailed officials in Delaware and West Virginia, the two other states that have announced plans to use OmniBallot's online voting technology. We didn't get a response.

Email and fax aren’t great either

Democracy Live CEO Bryan Finney argues that its online voting software isn't necessarily less secure than sending ballots over email or using a fax machine—two other techniques some states use for overseas military voters. For example, Kim Lindell, a spokeswoman for Umatilla County, Oregon, told Ars by email that the county is offering Democracy Live's software as an additional way for service members to return their ballots alongside email and fax.

 

Halderman and Specter don't necessarily dispute the point that OmniBallot is no worse than email and fax. But they draw the opposite conclusion: that states should stop using all of these methods and require military service members to return their ballots using paper mail. An email client is just as vulnerable to malware as the OmniBallot software is. Hackers could also compromise email infrastructure to modify ballots in transit.

 

Modern fax connections are often routed over the Internet, with the contents unencrypted at the level of the fax transmission.

 

Halderman points out that many jurisdictions require overseas ballots to be submitted in paper form. Specter and Halderman argue that OmniBallot is a good way to help service members get their blank ballots, which cuts the round-trip time for voting by mail in half. But they urge states to require service members to submit their completed ballots in paper form, extending deadlines as necessary to make sure their votes are counted.

States need to move quickly

The pair also urges state election officials to start working as soon as possible to prepare for an increased volume of voting by mail.

 

"Vote by mail is the most secure means we have of doing remote voting," Halderman said in a Tuesday video interview. "It's well-understood and reasonably safe, but it requires precautions."

 

Voting by mail is less secure than voting in a physical polling place because it exposes voters to potential coercion by abusive spouses, nursing-home care workers, and others. A vote-by-mail system needs to be designed carefully to minimize such risks. Still, the researchers say, voting by mail is dramatically more secure than voting online. The problem is that most states don't have experience running an election where a large fraction of votes are cast by mail. They'll have to do a lot of work to prepare for a possible flood of absentee ballots this November.

 

Finally, the researchers argue that states should implement automatic risk-limiting audits for all elections. This is a statistical technique that allows election officials to verify an election's outcome by examining a random sample of paper ballots. By examining more ballots in closer races, the technique provides strong confidence in election outcomes at minimal cost.

 

"Election officials need to be ready for disinformation and accusations the vote was rigged," Halderman said in a Tuesday video interview. "Because a lot of our election system is not engineered around the idea of generating evidence of correctness, it may be hard to directly counter accusations of failure or impropriety."

 

But it's only possible to conduct a meaningful audit when election officials have paper ballots that were marked by the voter. If a state allows voters to vote over the Internet, there will be no good way to verify the integrity of the results.

 

 

Researchers say online voting tech used in 5 states is fatally flawed

 

[Edion Gecos]

This is just the thin tip of the massive iceberg! 

US "democracy" is such a farce, it's not even funny anymore. 

It is all by design to keep the will of the people under the rug - or, dare we say, under the suffocating knee of the oligarchic duopoly-party elites!
 

There was so much shady business in the 2016 DNC primaries and repeated this time in 2020, it's difficult to put all of it in one post. I can guarantee that whatever you think you know of what happened, it was much worse!
The only solution is directly marked paper ballots that are hand-counted in public. 

 

*) Machine counts of elections are widely considered by election experts to be highly vulnerable to fraudulent manipulation of the vote. This has been known for years, but now newer machines used in many states for this election season as a new "feature" have wireless internet access to make election rigging and vote flipping even easier as you don't need physical access to the machines anymore to switch out code!
Courtroom Testimony on Rigged Voting Machines:
https://www.youtube.com/watch?v=rVmsaDS_FwY

Electronic Voting Machine hacked:
https://www.youtube.com/watch?v=rYnUksWt5HQ

*) The machines that count the votes are owned by private corporations that have, without obvious exception, refused to allow their machines to be inspected and evaluated by election integrity organizations. In defense of these refusals, the election machine owners claim their machines are “proprietary”, meaning simply that they are the owners and therefore nobody has the right to inspect them. The refusal of the election machine owners to have their machines inspected and evaluated in this way has routinely held up in court, for reasons that I cannot fathom. In other words, I cannot fathom how a nation that calls itself a Democracy can allow their votes to be counted by machines that cannot be evaluated for their trustworthiness.

 

*) Other than in many countries, within the United States, exit polls are never used for the purpose of monitoring the integrity of their elections (according to the UN, a discrepancy of more than 2-3% is highly suspicious and the US would send troops into other countries if that happens, but in the US itself - see the Democratic Primary in 2016 and 2020 as example - they routinely have a discrepancy of 10-15% and more!). Here the exit polls are solely used for the purpose of calling elections early. Indeed, many U.S. elections have been called before a single vote has been recorded, on the basis of exit polls alone. Exit polls in the US are also routinely used for the purpose of characterizing voter preference by various demographic (age, race, sex, etc.) or other voter characteristics (income, education, beliefs, etc.).
It is important to note that these exit polls, when reported for public consumption, are routinely “adjusted” so that the exit poll results match the official results. There are two major, somewhat contradictory explanations given for these “adjustments”. The benign explanation assumes the official vote count to be correct and argues: if the presentation of exit polls radically differs from the official vote count it would confuse the general public. The more cynical explanation is that the “adjustments” are made to hide the disparities between exit polls and official vote counts from the public in order to prevent arousing suspicions of election fraud.

 

Also these:
The "Democracy Lost" report by independent non-partisan Election audit organization ElectionJusticeUSA:
https://drive.google.com/file/d/0B5O9I4XJdSISNzJyaWIxaWpZWnM/view

 

Epidemic 2020 Election Fraud Again:
https://zacherydtaylor.blogspot.com/2020/03/epidemic-2020-election-fraud-again.html

 

Is the DNC cheating? Again?:
https://www.nationofchange.org/2020/03/13/is-the-dnc-cheating-again/

 

Super Tuesday Biden Victories Questioned by Election Watchers:
https://soapboxie.com/us-politics/Super-Tuesday-Biden-Victories-Questioned-by-Election-Watchers