OmniBallot, Another Flawed Attempt At Online Voting

Although online voting in elections has been a contentious topic for decades already, it is during the current pandemic that it has seen significant more attention. Along with mail-based voting, it can be a crucial tool in keeping the world’s democratic nations running smoothly. This is where the OmniBallot software, produced by Democracy Live, comes into play, and its unfortunate unsuitability for this goal.

Despite already being used by multiple US jurisdictions for online voting, a study by MIT’s [Michael Specter] and University of Michigan researchers points out the flaws in this web-based platform. Their recommendations are to either avoid using OmniBallot completely, or to only use it for printing out a blank ballot that one then marks by hands and sends in by mail.

One of the issues with the software is that it by default creates the marked ballot PDF on the Democracy Live servers, instead of just on the user’s device. Another is that as a web-based platform it is hosted on Amazon Web Services (AWS), with JavaScript sources pulled from both CloudFlare and Google servers. Considering that the concern with electronic voting machines was that of unauthorized access at a polling station, it shouldn’t require a lengthy explanation to see this lack of end-to-end security with OmniBallot offers many potential attack surfaces.

When Ars Technica contacted Democracy Live for commentary on these findings, Democracy Live CEO [Bryan Finney] responded that “The report did not find any technical vulnerabilities in OmniBallot”. Since the researchers did not examine the OmniBallot code itself that is technically true, but misses the larger point of the lack of guarantee of every single voter’s device being secured, as well as every AWS, CloudFlare and Google instance involved in the voting process.

As a result, the recommended use of OmniBallot is to use it for the aforementioned printing out of blank ballots, to save half of the trip time of the usual mail-in voting.

49 thoughts on “OmniBallot, Another Flawed Attempt At Online Voting

  1. Any particular reason mail-in doesn’t work? Paper is extremely cheap, and so is postage. Drop a DNA sample in the corner as proof of one-person one-vote. Disregard the one’s that have a spray pattern.

        1. One of my second cousins has genetically identical twin sons who don’t look like one another. She had their DNA tested because of how their difference in looks increased as they became teenagers. Despite a DNA match each one closely resembles one of their uncles, with some input from their mother and father.

      1. It has been getting cheaper, cities are testing dog poop against registered dogs these days. However that’s with the expectation of recouping it with a hefty fine. Also with that and run of the mill criminal DNA testing, I think they’re only matching a handful of base pairs not doing the whole sequence, so you get one in a million matches, which aren’t good enough unless you are gonna say it’s fine to get 200 votes from ppl with those base pairs. Even then, there might be families with more than 200 individuals having those pairs and being of voting age.

        But anyway, even 100% sequence matching at $20 a pop would triple election costs I would imagine. Also would piss off all the number of the beast and conspiracy types.

  2. Another major problem with online voting is the potential for voter coercion, unlike at a real voting booth there’s often no safeguard against shoulder-surfing. One possible solution would be to allow users to define one or more “duress passwords” which, when used, allow the user to perform any number of dummy actions that will appear legitimate from that user’s point of view when logged in with that password. It may be necessary to have a physically secure environment available in which to set these passwords. Online voting will be very hard to get right but I think it would be a very valuable system to have, it could make forms of direct democracy much more practical.

      1. Why not have a slipshod system that nevertheless makes it easy to screw over vote buyers, then watch what they do for a backend to validate a persons vote has been bought, since they’ve got skin in the game it might actually be good. Then use that.

      2. Vote selling and vote coercion are essentially the same problem, and I think duress passwords could also take care of it – you could either vote using a duress password while a would-be vote buyer is watching, or sell someone credentials including a duress password, and they would never know if the account is a real one or not, undermining the entire market and essentially solving the problem just as the secret ballot did.

        Something similar could work for mail-in ballots, you could receive a list of numbered one-time-use codes to authenticate your mail-in vote with, only one being the real code and the others being duress codes, and if you receive the number of the real code in a physically secured environment and keep it only in your brain it would be quite secure.

        1. Thinking about the mail-in system a bit more, it could be vulnerable to a brute-force or DoS attack if the attacker got a hold of the code sheet, so a brute-force limiter would be necessary at the very least (e.g. mail the person 1000 codes and if more than 10 forms with codes from the sheet are received, the voter has to vote in person, also use ballot sheets that are hard to counterfeit and allow each person to receive a maximum of 10 forms to mitigate DoS).

        2. How well would that work given there are some people I know who have just one (1) password… for everything?

          Yes, I know it’s bad practice. They know it’s bad practice too. There are some people who just can’t deal with a plurality of passwords and for whom, password managers are akin to black magic.

          I vote by postal ballot a lot these days. Saves a lot of stuffing around (since not voting is illegal where I am).

      3. There is really no secure way to vote remotely, or by mail. Someone wishing to sell their vote, only needs to go through whatever security steps needed, to complete the transaction. Some people are physically, or mentally require assistance when voting, and likely would know, or understand, what an ‘assistant’ did on the ballot. How many voters in nursing homes, need help voting? There is a lot of other things on the Ballot, besides Trump and biden, which are often more important, but often overlooked. People tend to focus mostly on the presidential candidates, but that’s only one, of the 3 co-equal branches of our government.

        Mail existed in the 1700s, and it was a good distance to travel for many voters. Why wasn’t mail-in voting addressed by the founding fathers in the Constitution? They knew it was ripe for fraud, and should be avoided, not encouraged.

        1. Maybe they shouldn’t be voting, because whoever helps them in the voting booth has just as much power over them, if they don’t understand who they’re voting for.

    1. Even at a real voting booth there is a change of “shoulder-surfing”. You go to a booth where the person behind the desk is foreign (like you), you tell them in your language that you cannot read, and they will point you out who to vote for. They even show how to vote!
      Cases like this can only be pointed out by:
      A) Putting a written complaint in the declaration that is put inside the sealed package.
      B) Filing an official complaint at the mayor’s office.

      Either way, they will get back to you claiming that they did not suspect any voter fraud, so be prepared to have an hidden camera ready with a timestamp so that you can prove them wrong. This is exactly the reason why I am going to a voting booth and just sit there for the whole day as an “independent observer”. If they kick me out, or harass me in any way, they know I will file a complaint to the municipality. This is also the reason why I prefer the “paper trail”, its harder to get rid of them when they are stamped with a serial number.

  3. Russians now buying lots of minimal AWS instances to hope to hit on machines where the physical CPU is shared with DL instances, so they can leverage unpatched Spectre/Meltdown exploits, recent unpatched exploits and all those 0 day undisclosed ones they’re been saving for a rainy day.

    1. Doesn’t need to even be on the same CPU – flaws in the implementation of any of the networking steps could be even worse. And its not like Network management and security have a glowing record either, plenty of patches that won’t be applied there (One can hope the whole communication will be properly encrypted… But that would judging by past government used IT systems be forlorn hope, at best it will be the right idea excuted badly on average I’d say token effort on security through anything but the obscurity created through the plethora of kludges that make it all work.)

      Online over the normal public internet has so many participants in each step being 100% sure its secure is impossible, being as sure its secure as you can be for paper Ballots is mearly really damn hard..

  4. I think online voting can be done reasonably securely, but no one seems to be interested in that. When a voter gets a ballot, it should come with a unique (long random) key. This could be in the form of a QR code. The first concern is that this would lead to voter tracking, however, I think that this is not too much of a concern as they numbers should be generated in advance and be handed out on a first-come, first serve basis. Each completed ballot should be reduced to a simple, canonical form (something like JSON, with alphabetical keys, and a clearly defined structure [any other simple, human readable, format that is non-trivial to manipulate maliciously would work]). This finalized form, should have every question, every possible answer (in the order presented), and the voter’s choice. The user should be allowed to sign this final ballot with their own unique key (there could be a simple mobile app or something to make this easier for a user, but users should be able to generate their own keys any way they want). The ballot should be timestamped, hashed, and added to a Merkle tree of existing submitted ballots. The user should be able to, at any time, validate their ballot by looking up the unique ballot ID in the application. They should be able to validate the signature of the ballot via the random key they generated. They should be able to see the main hash as well. Again a mobile or computer app could make this easier, and could store this information on first lookup to help highlight to the user if their ballot was tampered with at a later date. Yes, all of these helper applications could be manipulated to cover up fraud, but, they would make such fraud much more difficult, and provide a way for a common user to still use the system with some reasonable fraud guarantees. More importantly, because the user is not required to use these systems to validate their ballot, fraud would almost certainly come to light because there will always be a threshold of extra-dilligent users. Since the specification and API should be open, anyone could develop a non-official application. Since each ballot has a long, non-enumeratable ID, some simple anti-bruteforcing controls, would limit the likelihood of many ballots being discovered and enumerated. After an election, this information could actually be fully disclosed to the public, (minus the user hash) so the public could audit the results. Of course, nothing in such a process prevents the final counting system from using real data, but disclosing all of the data would fix this. This can also somewhat be somewhat enforced by making sure that a running hash comes out correctly for the Merkle tree. But at the end of the day, we all have to accept that data is counted correctly at the end of the line. Most of the fraud occurs pre-recording, via “lost” ballots, or intentional incorrect recording, and this eliminates both by providing a user a way to validate their ballot was recorded correctly, and that it reached the final tallying destination. Of course, you’d also need a process to allow users to dispute a ballot.

  5. Why is this so complicated?

    I live in Oregon.

    We have vote-by-mail and it Just. Plain. Works.

    It works better than any place I’ve ever lived, and I’ve lived and voted in *lots* of places, with a lot of methods. I’ve done check-marks, and chads and screens and levers. Mail wins.

    Paper is cheap. It leaves an unambiguous paper trail that can be re-checked at will. There is no issue with staffing polling stations or where they are located. You don’t have to take time off of work or stand in lines. And the actual act of handling votes is so diffuse that it would be difficult to commit fraud on any kind of scale.

    Assuming you’re not stupid enough to actually hand the thing to an unknown political operative knocking on your door (this happened in North Carolina in 2018) it’s pretty damn tough to man-in-the-middle thousands of individual, unmarked, physical envelopes all working their way through the system from hundreds of physical starting points all at their own pace.

    There’s a procedure in place to make sure you actually get your ballot, a remedy id you don’t, and when your ballot is returned your signature is checked against the voting rolls – just like at an in-person polling place.

    Each ballot goes out with barcodes on the delivery and return envelopes. Did your ballot get mailed out yet? You can look it up. Did it get received back? You can look *that* up. Need a replacement ballot? The return envelope ostensibly sent to you is voided, and a replacement is mailed.

    Don’t trust the mail because somehow some biased postal worker can magically tell what’s inside that sealed ballot envelope? We have ballot drop boxes in the libraries and municipal buildings – just like you were voting in person.

    Yes, there are some issues, particularly with people who have no fixed address – but that’s an issue with *any* polling district, and there are ways around it. I would hazard a guess that the real problems of making sure everyone can get and return a mail-in ballot pale in comparison to the issues with touchscreen or on-line systems.

    Did I mention the paper trail? Oh, right, I already mentioned that. It’s really hard to hack the 1600’s.

    Seriously, mail-in paper ballots. They. Just. Work.

    1. I’m glad it works for you, but there is another side. In Baltimore’s recent vote-by-mail election ballot errors resulted in a significant counting delay, people never received their ballots, etc. The list of problems they encountered was not insignificant and this was only a primary. You might also want to look at the recent vote-by-mail corruption allegations in Paterson, NJ.

      1. For all the problems you mention, they all also applies equally and often worse with online voting, in addition to allowing mass fraud to happen much more easily. And mail has been battle tested a lot more than any electronic sollution out there.

        Vote-by-Mail isn`t bulletproof, but mass fraud requires a lot of tedious work that leaves a lot more trails.

      2. Buying votes is a stupid crime – lot of risk, hard to pull off.
        Suppressing votes (e.g. by alleging problems with voting systems, or
        “cleaning” voter roles, demanding lots of ID) is a much smarter, safer way to manipulate elections.

        People can mess up implementing a system – whether it is vote by mail, or vote in person (look at all the delays in the recent election someplace in the south where they didn’t have enough ellection workers and had problems with the machines).

        Errors in setting up a system are different problem from fundamental to the voting system.

        Washington has had vote by mail for years. It does not cause widespread problems. It is much more convenient than having to go to polling place.
        (Basically you fill in the little bubbles on the mark-sense form at home, rather than having to go to a polling place to wield the pen.)

        It does not prevent members of either party from being elected (as the president seems to fear).

  6. The problem with voting online (or via any machine for that) is much simpler and in essence unsolvable.
    Tom Scott covered it quite nicely (twice): https://youtu.be/LkH2r-sNjQs
    Basically the problem with anything that involves a computer in the process is the “single point of failure” that is the software running on said machines. The “bad guys” (maybe russia if we’re talking about the US) only have to bribe/coerce/infiltrate/whatever the company in charge of providing the software. Nobody can verify if the software on the machine is authentic and even if you were theoretically able to do so, hardly anybody would bother or be competent enough.
    After the vote you are left with 0 physical evidence of anything and no useful record of cast votes that would enable a recount.
    With paper ballots on the other hand there is no easy way to change a large proportion of the votes without involving insane amounts of people in the process, and someone will speak up and expose the scheme.

  7. [Bryan Finney] responded that “The report did not find any technical vulnerabilities in OmniBallot”.
    This is a call for our community to set up some bots, and write in Joseph Fidler (the REAL Joe Walsh) for president.
    Results are guaranteed – LOL
    Probably after that though, witch hunts and “extra-judicial” sentences for us will follow.

  8. “Online voting will be very hard to get right but I think it would be a very valuable system to have […]”

    I’ve thought a lot about it, and I’ve come to the conclusion that, as of this day and date, paper ballots tallied by hand, by voluntaries, is the optimal solution.

    Why, you ask? Transparency. Understandability. Ultimately, trust.

    It’s a process anyone can grasp, anyone interested can offer her or his help for the vote count and can “see” the process in action.

    Organize the vote tallying as a “democracy feast”.

    Societies change. For Debian, their process of voting (very nerdy, all this Condorcet thing) is adequate, because it’s a bunch of nerds — they’ll put the necessary dedication to understand the thing (some will read the source code, I’m sure).

    Societies change, and the day may come where e-voting is right “at large”, but this day ain’t now, I think.

    And oh, keep those corrupt voting machine “manufacturers” at a distance. At a far, far distance.

    1. As long as the ballots are hand marked and human readable, I’m not convinced that tallying them entirely by hand is superior to tallying them by machine with a random sample double-checked by hand. Human error is non-trivial even with good intentions — and in some US states, the ballots stretch to quite a few pages.

  9. What this, and many previous claims that online/computerised ballot systems are flawed, completely overlook is that the current methods have the same problems at best, and in many cases are much less secure!

    They keep discounting better systems, waiting for something that is perfect. We all know that you can’t have a totally anonymous and totally accountable system as these are at odds but we can make a best effort by *making the same compromises* as the current physical voting systems do.

    1. The advantages of switching then boil down to being secure, but also being far more available and accessible. (One of the reasons why gerrymanderers oppose this kind of tech)

  10. Online voting, mail-in voting? What the hell is so hard about taking 1/2 hour out of your day every 1400 odd days to go some place and scrawl a mark on a piece of paper with a pencil? Paper ballots have worked for hundreds of years and nobody had yet come up with something better! The whole thing is a waste of time.

    1. its nice when you live in a district where the polls are in walking distance and you don’t have a job during voting hours. for some its not a half hour but might stretch on for 3 or 4. thank you gerrymanderers. we can do better. hell all we really have to do is move voting day to the weekend and maybe have free public transportation during voting hours, you dont even have to do anything high tech or stupid like online voting.

      1. I could go for free transport (for you and any children, no need for babysitting), voting on weekends, voting 6 am to 10 pm, mandatory day off work on voting day, voting in government owned buildings (like they aren’t a shit load of those) that are disability friendly, all these things are well worth the price considering we are electing a government who will, in reality, rule us for years. And MH 1400 days is about 4 years, which is a pretty general rule for times between elections. When we get real security for online voting lets do it, but we are not there yet, stick with what we’ve got.

    2. COVID-19
      Working 12+ hour days
      Off-shift work (not everyone is 9-5)
      Distance to the voting booth
      Babysitter
      Disabilities
      Transportation
      “A bunch of other reasons I’m too privileged to think of”

    3. In rural areas one may live an hour or more from polling place.
      One has to get child care, time off work, get transportation.
      (In person voting selectively disenfranchises the poor.)
      Hours long lines at polling places in recent elections.
      In many locations, elections happen several times per year.
      (no idea where the 1400 days came from).
      Renting polling places, paying polling workers, etc. is expensive.

      Marks on paper work just as well when the paper is mailed in.
      (Washington has been using them for years.)

  11. Long time ago, around 25 years ago, I was involved with a pilot project to do on-line voting in the Netherlands. We developed a system based on Lotus Domino and we were so confident we challenged the hacker community to cast a fake vote. They tried for 3 months (as long as the project ran) and failed.
    We even managed to make a system that could trace each vote to each voter, without being able to know what the vote was.
    In many ways it was a big contradiction. It needed to be open and easy, yet totally secure. It needed to trace each vote, yet not know what the vote was. It followed the letter of the law, but was on-line.
    There were many mistakes in the way the project was run, but the core application worked perfectly. It is still one of the projects I am really proud of.

      1. I live in Brazil. Here electronic ballot box has been used for decades. The system seems safe, the sum of the votes is very fast. However, we have to believe and trust in a black box. I believe that if the ballot box and the counting systems were open source it would be much better.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.