1/ In a new research paper today, @MSpecter and I perform the first public, independent analysis of the security and privacy risks of Democracy Live's OmniBallot online voting platform.

Full paper:
internetpolicy.mit.edu/omniballot

Advice for voters:
internetpolicy.mit.edu/omniballot-adv…

2/ OmniBallot is a web-based platform that can be used in three ways:
1) Voters can download blank ballots to print, hand mark, and mail in.
2) Voters can mark ballots online and return them by mail, email, or fax.
3) In some states, voters can cast votes entirely online.

3/ Many jurisdictions use it for ballot delivery and accessible ballot marking, but a few states are now using it for online voting (“electronic ballot return”).

4/ For instance, Delaware allowed practically any voter to vote online in today's primaries. West Virginia is allowing online voting in Tuesday’s primaries for overseas military voters and voters with disabilities, and New Jersey is considering using it in November.

5/ States are adopting OmniBallot for laudable reasons: to help overseas voters, voters with disabilities, and those who can't safely go to the polls due to COVID-19.

But, as we learned in 2016, elections face serious security threats. That's especially true for online voting.

6/ The overwhelming scientific consensus is that online voting cannot be secured with available technology. The National Academies and the Senate Intelligence Committee both urge against using it, even for military voters.

nap.edu/catalog/25120/… intelligence.senate.gov/sites/default/…

7/ Moreover, researchers have found severe security flaws in online voting implementations used or proposed for use in Australia, Switzerland, Norway, Estonia, Russia, West Virginia, and Washington, D.C.

Is Democracy Live's system safe?

8/ To find out, we reverse-engineered the OmniBallot's client used in Delaware. We only accessed resources that were available to the general public, and at no point did we attempt to log in as a real voter or cast a ballot in the election.

Here's what it looked like to voters:

9/ What we found:

(1) OmniBallot's design is overly simple, and ignores 30 years of research about building E2E-verifiable online voting. The voter's identity and ballot choice are just sent to a server in Amazon's cloud, which generates a ballot that officials can download.

10/ As a result, there's no way for voters, officials, or Democracy Live to be sure votes aren't modified. Client-side malware or browser extensions could invisibly change votes. So could insiders or attackers who infiltrate Democracy Live, Amazon, Google, or Cloudflare.

11/ (2) Democracy Live receives sensitive data, incl. the voter's identity, ballot choices, and a browser fingerprint. These could be used to track voters on the web and target ads or disinformation based on their real votes, yet OmniBallot doesn't have a public privacy policy.

12/ (3) In Delaware and WV, ballot marking works by sending the voter’s identity and ballot selections to Democracy Live, even when the voter opts to print the ballot and return it by mail. It could easily be done client-side, so this is an unnecessary security and privacy risk.

13/ (4) There are important risks even when OmniBallot is used only for delivering blank ballots, including the risk that ballots could be misdirected or subtly manipulated in ways that cause them to be counted incorrectly.

14/ We offer several recommendations to help election officials reduce these risks while continuing to serve the important access needs of their constituents:

15/ (a) Discontinue online voting. No readily available defense can adequately mitigate the risks of OmniBallot's electronic return mechanism.

16/ (b) Reserve online marking for voters who need it. Although online marking is critical for some disabled voters, it carries higher risks and becomes an attractive target when widely used. Marked ballots should always be printed and physically returned.

17/ To reduce security and privacy risks for voters who do need online marking, ballots should be generated locally in the browser, using client-side code. Democracy Live already offers this option in California and some other localities.

18/ (c) All voters should avoid emailing or faxing back their ballots. The only way to have a voter-verified paper trail is to print the ballots, carefully review them, and return them physically, by mailing them or dropping them off.

19/ (d) However ballots are returned, states should require that Democracy Live adopt an enforceable privacy policy that prohibits using voters’ information for any purpose unrelated to servicing their ballots.

20/ (e) States should also require public, independent security analysis before considering online voting systems. Without such analysis, voters and officials will be unable to accurately weigh the tradeoffs between risk and access.

21/ There’s much more in our full paper: internetpolicy.mit.edu/omniballot

22/ Bottom line: OmniBallot's ballot delivery and marking can be valuable tools for helping voters participate *if* officials take precautions we suggest. Online voting, however, is a severe danger to election integrity and privacy, and we urge jurisdictions not to deploy it.

23/ What we recommend for OmniBallot voters:

If you can, print a blank ballot, mark it, and mail it/drop it off.
If you need to mark online, double check that your printed ballot is marked correctly.

Avoid email/online return if possible.

More here: internetpolicy.mit.edu/omniballot-adv…