As the 2020 US presidential election draws nearer, concern is beginning to mount over the potential threat of vote manipulation. Alarm over vote manipulation was once again raised after OmniBallot, an online voting system, was found to be riddled with a host of security risks according to the findings of a recent research paper by Massachusetts Institute of Technology (MIT) and the University of Michigan computer scientists.
The research paper, which hit the press on June 7, revealed that OmniBallot’s designer Democracy Live leaves the ballots that it processes susceptible to vote manipulation. What’s more, the researchers found that Democracy Live actively collects sensitive voter information and does not ensure adequate protection of the information while online.
As a result, according to the paper, the online voting system runs the risk of providing easy pickings for sophisticated cybercriminals—especially those using ransomware—one that is only exacerbated by the fact that no technology currently exists to mitigate the risks in question.
OmniBallot: Background and use
The three US states of Delaware, West Virginia, and New Jersey have recently announced their intention to allow residents to cast their votes online using OmniBallot. However, according to the researchers, in spite of the “well established” risks of online voting, Democracy Live’s online voting system “has never been the subject of a public, independent security review.”
OmniBallot, which is designed to offer users a simple online voting system, allows voters to verify their identities and receive a copy of their ballot in the form of a PDF file.
Depending on the laws subject to each specific location, voters would either be allowed to leave a ballot mark on the printed ballot before faxing or emailing back to the system, or mark the ballot electronically and submit it online.
An online voting system riddled with risks
However, questions begin to arise in the way in which the online voting system deals with personal data, the researchers said.
“We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare,” they wrote, adding that Democracy Live receives sensitive personally identifiable information including the voter’s identity, ballot selections, and browser fingerprint, all of which “could be used to target political ads or disinformation campaigns.”
By measuring the risks posed by Democracy Live’s online voting system, the two researchers also revealed that vote manipulation could be enacted by cybercriminals without running the risk of detection. This is further exacerbated by the fact that existing technology is not advanced enough to account for these risks, according to the researchers, leaving cybercriminals almost unchecked to mastermind efforts at vote manipulation.
“At worst, attackers could change election outcomes without detection, and even if there was no attack, officials would have no way to prove that the results were accurate. No available technology can adequately mitigate these risks, so we urge jurisdictions not to deploy OmniBallot’s online voting features,” the researchers wrote to this end.
Democracy Live, for its part, seemed to acknowledge the flaws inherent in its online voting system while asserting that the company takes care to protect user information. “No technology is bulletproof,” Bryan Finney, chief executive at Democracy Live told The New York Times earlier this month. “But we need to be able to enfranchise the disenfranchised.”
Finney also claimed that OmniBallot does not share or sell voter data, adding that voters who are concerned with online security have the option to print and mail their ballots—a method that the researchers of the report agreed was the safest.
Wider worries of vote manipulation
The new report serves to underscore the entrenched nature of the issues that plague online voting. Risks posed by cybercriminals with respect to vote manipulation in particular have long been a concern for the US government, with the Department of Homeland Security acknowledging the high-profile nature of the threat.
In addition, the results come at a contentious time, with the issue of mail-in voting being thrown into fierce debate in which even the US President Donald Trump has infamously chided. On the one hand, mail-in voting provides fewer contact risks in the wake of COVID-19, supporters say, while on the other hand detractors point out that the process can facilitate widespread vote manipulation. However, the recorded number of voter fraud cases involving mail-in voting remains low, according to a report by CNET, with any issues being easily detectible in the first place.
The researchers behind the report also acknowledge the necessity to balance such risks. “Elections administrators have the complicated job of ensuring that all eligible voters have the ability to vote, while simultaneously safeguarding against some of the world’s most sophisticated attackers,” they wrote, noting that—in the end—ensuring the security of an individual online voting system remains the bigger question at play.