The First State started piloting a new internet-based voting system this presidential primary. Elections officials quietly dropped the system last week in response to security concerns, as absentee ballots continue to roll in.
Delaware is seeing record absentee voting this presidential primary, which was rescheduled for July 7 because of the pandemic. Any voter who is social distancing, whether or not they have the virus, may vote absentee. Until last Thursday, they could all mark and return their ballots digitally through the internet-based OmniBallot voting system the state was piloting. It was touted as more accessible for some disabled voters.
But cybersecurity experts raised additional concerns about the system made by the Seattle-based company Democracy Live during Delaware’s pilot.
A report by MIT and University of Michigan researchers last week concluded that using OmniBallot for electronic ballot return poses a “severe risk” to election security. The researchers reverse engineered the client-side portion of OmniBallot, as used in Delaware, to analyze its security.
They found the system vulnerable to vote manipulation by malware on the voter’s device and by “insiders” or other attackers that might compromise Democracy Live, Amazon, Google, or Cloudflare— third party entities involved in the system.
They also found concerns with voter data privacy. Democracy Live receives sensitive personal information, such as the voter’s identity, ballot selections and browser fingerprint, which the researchers argue could be used to target political ads or disinformation campaigns. This data is collected when voters mark their ballots digitally in the system, regardless of whether they return them through the system or by mail, email or fax, which OmniBallot also allows.
The MIT report also found issues with whether a hack of the system could be detected.
“There isn’t any way for voters, Democracy Live or even election officials to confirm for sure that the vote the voter tries to cast is the same as what’s received and counted by election officials,” said University of Michigan researcher J. Alex Halderman, one of the authors, in an interview Tuesday.
The MIT report is not the first to raise concerns about the security of internet-based voting in general. A federal report to states in early May also recommended paper ballot return over electronic return, calling electronic ballot return technologies “high-risk even with controls in place.”
Delaware election officials decided to drop the OmniBallot pilot days after the MIT report was released over concerns about trust in the system.
“We have had no problems with the system,” said State Election Commissioner Anthony Albence Tuesday. “We have confidence in the system, but we want everyone to be fully confident in anything that we do.”
Albence says the Department of Elections is now using an in-house system to send out absentee ballots electronically to voters who request that option.
Voters will then need to print the ballot and physically mark it. They can return it by mail or email. Those who return it by email are encouraged to use the state’s encryption tool, called the Egress Switch.
Albence argues that returning ballots by email is more transparent for voters than returning them through the OmniBallot system.
“I think they feel that they have more control over that process, because they’re taking the ballot, they’re marking it themselves, they’re attaching it— they can visibly see what’s going on in terms of the email attachment,” he said.
Albence claims people can feel secure with the Egress encryption option, which he describes as “very high level encryption” and “very high quality.”
Halderman, the cybersecurity expert, disagrees. “That's not necessarily any more secure than what they were using before,” he said in an email.
Halderman’s recent report said Egress is “effectively serving as a second Internet voting platform, with broadly similar risks to OmniBallot’s online return mode,” including centralization of voted ballots and a reliance on large tech companies for infrastructure.
“Egress appears to be hosted in Microsoft’s cloud and to store encrypted messages in Amazon S3 servers located in the U.K.,” the report reads. “Routing domestic voters’ ballots through a foreign jurisdiction may weaken the legal protections surrounding ballot secrecy and exposes voters to a greater risk of surveillance or other attacks by a foreign government.”
With the end of the OmniBallot pilot, Delaware voters no longer have the option of marking their ballots digitally, which is more accessible to some voters with disabilities. Having to rely on another person to mark and return a ballot can compromise the integrity and secrecy of a disabled person’s vote.
“If Democracy Live wasn’t ready for ‘prime time,’ it is really unfortunate that it was promoted and adopted as an access solution for people with disabilities,” said University of Delaware Center for Disabilities Studies Director Beth Mineo in an email Tuesday.
Still, Mineo emphasizes the importance of security.
“While the disability community is eager to see access barriers eliminated from the voting process, we can’t afford to sacrifice the security of that process,” she said. “I can’t help but think, though, that if there were a genuine will to figure out how to make electronic balloting work, we would have done it by now.”
Mineo says for the primary and general elections this fall the state will need to be “hyper-vigilant” about addressing access barriers, as in-person voting may be especially problematic for those with compromised immune systems. She notes the best time to develop solutions is not in “the final months of a highly contentious election season,” but says the Center for Disabilities Studies would be “happy” to be part of the solution.
Roughly 46,300 voters have requested absentee ballots for Delaware's presidential primary so far — nearly ten times the number who voted absentee in the 2016 presidential primary, according to the Department of Elections.