Study finds security holes in online voting for New Jersey and West Virginia (updated)

OmniBallot appears to handle personal data very loosely.


States are under pressure to use online voting for the US presidential election when COVID-19 could remain a threat in November, but those platforms might not be as secure as you’d like. MIT and the University of Michigan have published a report detailing security problems in Democracy Live’s OmniBallot, the voting and ballot delivery system that will be used by some citizens in Delaware, New Jersey and West Virginia. The system apparently takes a number of risks with data, including personal info.

The online vote relies on a “simplistic approach” that isn’t software-independent or verifiable from start to finish, the researchers said. They also lean heavily on third parties like Amazon and Google to host functions. Delaware’s take on the system sends your identity and vote to Democracy Live even if you intend to print and mail your ballot, while all systems send personal info like names, addresses and partial social security numbers. There’s also a chance that even blank ballots could be “misdirected or subtly manipulated” to lead to incorrect vote counts.

The findings led academics to recommend an abundance of caution. They believe people should only mark ballots online through OmniBallot “as a last resort.” You’re better off either sending a physical ballot or to avoid using OmniBallot entirely in favor of conventional voting methods.

We’ve asked Democracy Live for comment. These potential points of failure don’t necessarily guarantee there will be hacking attempts. When many security experts anticipate hacking attempts from Russia and other countries during the 2020 election, though, it’s difficult to completely dismiss concerns — these issues theoretically open the door to manipulation or identity fraud.

Update 6/8 7:40PM ET: Democracy Live had mixed reactions to the report in its response to Engadget. It argued that the researchers “did not find any technical vulnerabilities” in OmniBallot, and that a “secure, federally approved” option is better than emailing ballots or using fax machines. It also stressed that the voting option would mainly be restricted to those with disabilities or others who can’t vote in person, such as military personnel serving outside of the US.

At the same time, the company was receptive to some of the suggestions. It promised a vote verification system for “every future deployment” of its voting system, and that it will “immediately” bring its contracted privacy policies to its ballet portal. Democracy Live is willing to change, then, even if it believes the security risk isn’t as high as claimed.