National: Security Flaws in US Online Voting System Raises Alarm Over Potential Vote Manipulation | Byron Muhlberg/CPO Magazine

As the 2020 US presidential election draws nearer, concern is beginning to mount over the potential threat of vote manipulation. Alarm over vote manipulation was once again raised after OmniBallot, an online voting system, was found to be riddled with a host of security risks according to the findings of a recent research paper by Massachusetts Institute of Technology (MIT) and the University of Michigan computer scientists. The research paper, which hit the press on June 7, revealed that OmniBallot’s designer Democracy Live leaves the ballots that it processes susceptible to vote manipulation. What’s more, the researchers found that Democracy Live actively collects sensitive voter information and does not ensure adequate protection of the information while online. As a result, according to the paper, the online voting system runs the risk of providing easy pickings for sophisticated cybercriminals—especially those using ransomware—one that is only exacerbated by the fact that no technology currently exists to mitigate the risks in question.

Delaware: Election Commission Quietly Fielded An Online Voting System, But Now Is Backing Away | Sophia Schmidt/NPR

Delaware briefly deployed a controversial internet voting system recently but scrapped it amid concerns about security and public confidence. Before the online option was shuttered, voters returned more than 2,700 ballots electronically — and those votes still will be counted, according to the state, along with conventional votes in the upcoming July primary. Delaware Election Commissioner Anthony Albence said the decision to stop using the cloud-based return option was made to protect public perception of the election. “We have had no problems with the system,” said Albence. “We have confidence in the system, but we want everyone to be fully confident in anything that we do.” The coronavirus pandemic has sent election officials nationwide scrambling for creative solutions to voting problems this year, but it’s becoming clear that there remains very little appetite for new internet voting platforms as part of that conversation. After NPR reported in April that three states were moving toward statewide pilot programs to allow voters with disabilities to return their ballots over the internet, two of those states have since backed away from those plans after intense criticism from the cybersecurity community.

Delaware: Election officials back out of mobile voting weeks before primary | Benjamin Freed/StateScoop

Delaware election officials backed off a plan to offer an online ballot-return method to voters in its primary next month, citing a recent report from security experts that found that the platform being used is vulnerable to hacking that could expose or manipulate how a person’s ballot was cast without being detected by either voters or the vote counters. The platform, OmniBallot, allows election administrators to send ballots to hard-to-reach voters, like deployed military members, civilians living abroad and voters with disabilities, giving them the option to return their completed ballots through a variety of methods, including postal mail, email and fax. But Delaware was also one of a handful of states that planned to test out OmniBallot’s ability to transmit ballots online, which raised concern with some election security analysts who argue that the internet is a dangerous venue for voting. In a June 7 paper, J. Alex Halderman, a computer scientist at the University of Michigan, and Michael Specter, a doctoral student at the Massachusetts Institute of Technology, wrote that OmniBallot “is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers” who can compromise software made by OmniBallot’s developer, Democracy Live.

Voting Blogs: New Jersey agrees No Internet voting in July, vague about November | Andrew Appel/Freedom to Tinker

A formal settlement agreement has been submitted to the NJ Superior Court regarding online ballot access in the 2020 elections. On May 4, 2020,  New Jersey’s Division of Elections was caught trying to adopt vote-by-Internet on the stealth, even though the law forbids it.  That is, not only is Internet voting inherently insecurable, there’s a 2010 Court Order still in effect that says, “computers utilized for election-related duties shall at no time be connected to the Internet.”  That’s based on the New Jersey Superior Court’s finding that “As long as computers, dedicated to handling election matters, are connected to the Internet, the safety and security of our voting systems are in jeopardy,” in the case of Gusciora v. Corzine. Penny Venetis, attorney for the Gusciora plaintiffs, filed a motion (in early May) with the Court, to make the State abandon its plans for online voting, on the basis that receiving ballots e-mailed or uploaded on the Internet clearly violates this order.  The Court ordered the parties to reach a settlement by June 8, or report their separate positions.

National: Cybersecurity Concerns with Online Voting for 2020 Presidential Election | 2020-06-11 | Security Magazine

A new report by researchers at the Massachusetts Institute of Technology (MIT) and University of Michigan discusses the cybersecurity vulnerabilities associated with OmniBallot, a we-based system for blank ballot delivery, ballot marking and (optionally) online voting. Three states – Delaware, West Virginia and New Jersey – recently announced they would allow certain voters to cast votes using OmniBallot. Researcher Michael A. Specter at MIT and J. Alex Halderman at the University of Michigan reverse engineered the client-side e portion of OmniBallot, as used in Delaware, in order to detail the system’s operation and analyze its security. “We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare,” the researchers explain. In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information— including the voter’s identity, ballot selections, and browser fingerprint— that could be used to target political ads or disinformation campaigns, the report says.

National: Researchers say online voting tech used in 5 states is fatally flawed | Timothy B. Lee/Ars Technica

OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states—West Virginia, Delaware, and New Jersey—have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT’s Michael Specter and the University of Michigan’s Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity. Democracy Live, the company behind OmniBallot, defended its software in an email response to Ars Technica. “The report did not find any technical vulnerabilities in OmniBallot,” wrote Democracy Live CEO Bryan Finney. This is true in a sense—the researchers didn’t find any major bugs in the OmniBallot code. But it also misses the point of their analysis. The security of software not only depends on the software itself but also on the security of the environment on which the system runs. For example, it’s impossible to keep voting software secure if it runs on a computer infected with malware. And millions of PCs in the United States are infected with malware.

National: Democracy Live Internet Voting System Can Be Hacked, Researchers Warn | Lucas Ropek /Government Technology

An online voting platform that has seen recent adoption by numerous state and county governments has vulnerabilities that could be exploited to change votes without the knowledge of election officials, a new report alleges. The OmniBallot, which is a product of Seattle-based tech firm Democracy Live, purports to offer “secure, accessible remote balloting for all voters” and is being used by state or county governments in Oregon, Washington, Colorado, Ohio, Florida, New Jersey and West Virginia. The company developed a number of contracts for limited Internet voting pilot programs with states earlier this year, after COVID-19 threatened to disrupt primary elections nationwide. These programs are fairly limited in scope and largely focus on overseas voters and the disabled. However, computer science researchers say what the company really offers is an insecure platform. The recently published report from professors Michael J. Specter, of MIT, and J. Alex Halderman, of the University of Michigan, states that the company “uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare [its partners].”

Voting Blogs: Democracy Live internet voting: unsurprisingly insecure, and surprisingly insecure | Andrew Appel/Freedom to Tinker

The OmniBallot internet voting system from Democracy Live finds surprising new ways to be insecure, in addition to the usual (severe, fatal) insecurities common to all internet voting systems. There’s a very clear scientific consensus that “the Internet should not be used for the return of marked ballots” because “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” That’s from the National Academies 2018 consensus study report, consistent with May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA. So it is no surprise that this internet voting system (Washington D.C., 2010) is insecure , and this one (Estonia 2014) is insecure, and that internet voting system is insecure (Australia 2015) , and this one (Sctyl, Switzerland 2019), and that one (Voatz, West Virginia 2020) A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan) demonstrates that the OmniBallot internet voting system from Democracy Live is fatally insecure. That by itself is not surprising, as “no known technology” could make it secure. What’s surprising is all the unexpected insecurities that Democracy Live crammed into OmniBallot–and the way that Democracy Live skims so much of the voter’s private information.

National: Online Voting System Used in Florida and Elsewhere Has Severe Security Flaws, Researchers Find | Kim Zetter/OneZero

New research shows that an internet voting system being used in multiple states this year is vulnerable to hacking, and could allow attackers to alter votes without detection. On Sunday, researchers published a report that details how votes in OmniBallot, a system made by Seattle-based Democracy Live, could be manipulated by malware on the voter’s computer, insiders working for Democracy Live, or external hackers. OmniBallot is currently used in Colorado, Delaware, Florida, Ohio, Oregon, Washington, and West Virginia. Though online voting has typically been used by overseas military and civilian voters, it could expand to more voters in the future due to the pandemic. The researchers found that bad actors could gain access to ballots by compromising Democracy Live’s network or any of the third-party services and infrastructure that the system relies on, including Amazon, Google, and Cloudflare. “At worst, attackers could change election outcomes without detection, and even if there was no attack, officials would have no way to prove that the results were accurate,” the researchers, Michael Specter at the Massachusetts Institute of Technology and J. Alex Halderman of the University of Michigan, write. “No available technology can adequately mitigate these risks, so we urge jurisdictions not to deploy OmniBallot’s online voting features.”

National: Study finds vulnerabilities in online voting tool used by several states | Maggie Miller/The Hill

Researchers with the Massachusetts Institute of Technology (MIT) and the University of Michigan found multiple security vulnerabilities in an online voting tool being used by at least three states. The study evaluated Democracy Live’s OmniBallot, a program that Delaware, New Jersey and West Virginia are using to allow military personnel and voters with disabilities to cast ballots amid the COVID-19 pandemic. The company also has a contract with the Defense Department to provide ballots to military personnel overseas. According to the paper published Sunday, the system opens up the voting process to a range of vulnerabilities that could lead to election interference. “We conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection,” the researchers wrote.

National: How to Protect Your Vote – a technical report on Democracy Live OmniBallot | Michael A. Specter and J. Alex Halderman/Internet Policy Research Initiative at MIT

See the full technical report on OmniBallot here

Today, MIT and University of Michigan researchers released a report on the security of OmniBallot, an Internet voting and ballot delivery system produced by Democracy Live. This system has been deployed in Delaware, West Virginia, and other jurisdictions. Our goal is to provide election officials and citizens the information they need to ensure that elections are conducted securely. Based on our findings, we have specific recommendations for both governments and individual voters.

Editorials: In West Virginia, every voter counts | Mac Warner and Jeremiah Underhill/WVNews

It is often said, “every vote counts.” In West Virginia, every voter counts, too. For too long, segments of voters have been disenfranchised from our democratic process through no fault of their own. Deployed armed services members often lack access to mail, printers, and scanners — components needed for casting paper ballots from remote locations. Similarly, voters living with a physical disability are often prevented from marking and casting a ballot secretly when they cannot make it to the polls in person. Technological advancements have torn down barriers to convenient interaction with government and private entities and have increased accessibility without sacrificing a person’s privacy. It is common for people to bank, transfer money, sign documents, shop and receive sensitive medical information via mobile devices, regardless their location around the world. Not only is technology available to help people vote, West Virginia law now requires it. On February 3, 2020, West Virginia took a huge step forward to expand the voting franchise with the signing into law of SB 94. This law requires election officials to make absentee voting fully accessible to voters with physical disabilities who are prevented from voting in-person at the polls and from marking ballots without assistance. These absentee voters with physical disabilities now have an option to mail or electronically submit their ballot back to their county clerk using approved technology.

West Virginia: Secretary of State opts for different voting application for electronic absentee ballots | Chris Lawrence/WV MetroNews

The Secretary of State’s office will go with a different vendor as they work to expanded electronic absentee voting in West Virginia during the 2020 election cycle. Secretary of State Mac Warner has announced that for the upcoming primary election, West Virginia will use the Democracy Live electronic voting system after testing the Voatz app in the last election cycle. “They’ve been around for a decade. They’ve participated in elections throughout the United States since 2010 and they have a fully compliant A-D-A functionality in their system which allows a voter who is blind or visually impaired to mark their ballot without assistance,” Deak Kersey, general counsel for the West Virginia Secretary of State’s office said. West Virginia was part of a pilot program in 2018 and allowed members of the military stationed overseas to vote via the Voatz App.The Voatz App was on a mobile phone whereas Democracy Live is on a fixed server. According to Kersey, only 144 voters used the App in West Virginia’s 2018 general election and only 13 during the primary. It was a pilot project and a test.

West Virginia: State will NOT use controversial voting app Voatz during primary elections | Internewscast

West Virginia has announced it will not be using the voting app Voatz app after researchers found it is ‘riddled with vulnerabilities’. The US state employed the technology in 2018 to troops overseas and was also set to implement it in the upcoming primary elections for residents with disabilities  However, the flaws, uncovered earlier this month by MIT engineers, give hackers the ability to alter, stop or expose how an individual users has voted. Secretary of State Mac Warner said on Friday that disabled and overseas voters will now use a service by Democracy Live which lets them log in to fill out a ballot online or print an unmarked ballot and mail it in. West Virginia has announced it will not be using the voting app Voatz app after researchers found it is ‘riddled with vulnerabilities’. The US state employed the technology in 2018 to troops oversease and was also set to implement it in the upcoming primary elections for residents with disabilities  The US state was set to employ Voatz following a new bill that requires counties to provide certain individuals with a type of online ballot-marking device that can be used with a smartphone.

West Virginia: After damaging report, West Virginia moves away from Voatz internet voting app | Anthony Izaguerre/Associated Press

West Virginia is opting not to use a widely criticized voting app in the state’s coming primary elections after a blistering report found potential security flaws in the platform. Donald Kersey, general counsel in the West Virginia Secretary of State’s office, said Monday that an MIT analysis of the Voatz app “gave us enough pause” to instead use a different system for the May elections. The decision came as state officials had to choose an online voting system to comply with a new law requiring electronic ballots for people with physical disabilities. Last month, an MIT study found that Voatz, which has mostly been used for absentee ballots from overseas military personnel, has vulnerabilities that could allow hackers to change a person’s vote without detection. The researchers said they were forced to reverse engineer an Android version of the app because the company hasn’t allowed transparent third-party testing of the system. The Voatz app was used to tally fewer than 200 ballots in West Virginia’s 2018 elections and didn’t have any problems, state officials said. The app has also been used in pilots in Denver, Oregon and Utah.

West Virginia: State backtracks on using Voatz smartphone voting app in state primary | Kevin Collier/NBC

In a surprise turnaround, voters with disabilities in West Virginia won’t be voting with their smartphone the state’s primary in May. They’ll instead be able to use a system that prints out their completed ballot, which they can then mail in. Friday afternoon, West Virginia Secretary of State Mac Warner announced that disabled and overseas voters will be able to use a service by Democracy Live, which lets users log in to fill out a ballot online or print one out and maig it in. It’s a sudden pivot from the state’s embrace of Voatz, a smartphone app that aimed to boost turnout by letting people vote from their phone but that has been heavily criticized by cybersecurity experts. A handful of counties across the U.S. have offered Voatz to overseas and military voters in federal elections, as the city of Denver did in its 2019 mayoral election. But West Virginia offered it to counties statewide. On Feb. 5, the state passed a law requiring its counties to give voters with disabilities the option of eceiving ballots electronically, starting with the May 12 primary elections.

National: Voting on Your Phone: New Elections App Ignites Security Debate | Matthew Rosenberg/The New York Times

For more than a decade, it has been an elusive dream for election officials: a smartphone app that would let swaths of voters cast their ballots from their living rooms. It has also been a nightmare for cyberexperts, who argue that no technology is secure enough to trust with the very basis of American democracy. The debate, long a sideshow at academic conferences and state election offices, is now taking on new urgency. A start-up called Voatz says it has developed an app that would allow users to vote securely from anywhere in the world — the electoral version of a moonshot. Thousands are set to use the app in this year’s elections, a small but growing experiment that could pave the way for a wider acceptance of mobile voting. But where optimists see a more engaged electorate, critics are warning that the move is dangerously irresponsible. In a new report shared with The New York Times ahead of its publication on Thursday, researchers at the Massachusetts Institute of Technology say the app is so riddled with security issues that no one should be using it.

National: MIT researchers identify security vulnerabilities in voting app | Abby Abazorius/MIT News

In recent years, there has been a growing interest in using internet and mobile technology to increase access to the voting process. At the same time, computer security experts caution that paper ballots are the only secure means of voting. Now, MIT researchers are raising another concern: They say they have uncovered security vulnerabilities in a mobile voting application that was used during the 2018 midterm elections in West Virginia. Their security analysis of the application, called Voatz, pinpoints a number of weaknesses, including the opportunity for hackers to alter, stop, or expose how an individual user has voted. Additionally, the researchers found that Voatz’s use of a third-party vendor for voter identification and verification poses potential privacy issues for users.

National: Iowa’s app fiasco worries mobile voting advocates | Tonya Riley/The Washington Post

The fiasco caused by an app that failed to properly transmit votes in the Iowa caucuses is worrying the mobile voting industry, which hoped 2020 would be a banner year. Companies — and proponents of incorporating more technology into elections — are trying to avoid being lumped in with the hastily made app used in Iowa. They’re saying its failure proves serious investment in user-friendly, secure election technology is more critical than ever. “We need to ensure that every new idea is tested, transparent and secure — just like the eight successful mobile voting pilots conducted to date,” Bradley Tusk, the founder and CEO of Tusk Philanthropies, said in a statement. “Enough is enough. 2016 should have been enough of a wake-up call. Iowa just confirmed it.” Tusk Philanthropies has funded pilots for mobile voting across the country, launched in a push to increase participation in elections. Unlike the app used in Iowa, which was developed to relay vote counts, the pilots use technologies that allow voters to easily vote from their mobile phones. So far, the pilots have largely been limited to eligible uniformed and overseas voters and voters with disabilities. But any expansion is sure to fall under an even more critical spotlight. Any malfunction — or hack — of an app used directly for voting in 2020 could have far greater impact in undermining public faith in the Democratic process than one Democratic caucus gone wrong.

Washington: Seattle-area election will use smartphone voting system that worries some experts | Jay Greene /The Washington Post

As it became clear that a technical mishap would delay results from the Iowa caucuses last week, Sheila Nix raced to prepare a chart illustrating how the glitch was isolated. Nix is president of Tusk Philanthropies, an organization that’s working to boost turnout through mobile-voting projects and was not involved in the Iowa caucuses. But she has been working on a Seattle-area election that culminates Tuesday to elect a seat on the board of the King Conservation District, which promotes sustainable uses of natural resources. It is one of Tusk’s most high-profile efforts. Nix didn’t want the Iowa debacle to discourage potential voters from using their mobile phones to cast their ballots. The chart Nix’s team created, posted on the King Conservation District’s website, noted that the technology used in Iowa, unlike Tusk’s partners, was “untested, and created in secrecy,” and that Iowa didn’t have a backup plan in the event there was a problem. But she said she also recognizes that the fiasco in Iowa was a setback for everyone working on digital elections. “We know we have an additional level of education that must be done,” Nix said. ‘It kind of failed us’: With eyes of the world on Iowa, another hiccup in American democracy.

Washington: We voted with a smartphone in a Seattle-area election, and this is what we discovered | Monica Nickelsburg/GeekWire

Mobile voting is fast, convenient, and vulnerable. Those were my takeaways testing out the mobile voting pilot available to all voters in the greater Seattle region Tuesday. More than 1.2 million Seattle-area voters have the option to cast their ballots online in a little-known election for the Board of Supervisors of the King Conservation District, a resource-management organization operating under state authority. To cast my ballot online, I visited the King Conservation District website on my smartphone. The first page explained my options for voting, including casting my ballot online. It also included an infographic detailing how this mobile voting pilot is different from the app that malfunctioned during the Iowa Democratic caucuses last week. Clicking “Vote Now” led to a series of prompts within the web browser on my phone. First I reviewed the sample ballot provided. Then it was time for the main event. … The speed and convenience of mobile voting is undeniable. … But there will always be folks who sit small, local elections out. My husband, for example, probably won’t vote in this one. Could that become an opportunity for fraud? I decided to find out.

Washington: ‘Proceed very cautiously’: Experts say online elections raise security concerns | Amy Radil/KUOW

Voting online is now an option for certain voters in King, Pierce, and Mason counties. But Washington state lawmakers and security experts say these methods should be “off the table” in 2020. Tuesday, February 11 is the last day for voters in the King Conservation District election to submit their online ballots. The election made headlines last month as the country’s first in which all eligible voters cast ballots via smartphones and computers. Pierce and Mason counties plan to use the same method to allow military and overseas voters to cast ballots in the presidential primary. But the failure of the app at the Iowa caucuses last Monday has inflamed doubts around online voting. Even before then, Washington Secretary of State Kim Wyman and cybersecurity experts condemned online balloting calling for the exclusive use of paper ballots this year. Should Washington voters worry about online voting? …Computer scientist Jeremy Epstein has a much different perspective than Tusk. He argues the platforms Tusk has funded through two firms, Voatz and Democracy Live, are not transparent. “Both Voatz and Democracy Live have talked about, ‘Oh yes we’ve had security assessments,’” said Epstein, who works for the Association for Computing Machinery. “But they won’t release any information on what they’ve tested, what the results are. They just said, ‘don’t worry, be happy.’” Epstein said there are no standards for secure internet voting because it is “fundamentally insecure. ” He add that “we don’t want to build standards for ‘safe cigarettes,’” and “we don’t build standards for ‘safe’ internet voting because it’s a contradiction in terms.”

National: Iowa Caucus chaos likely to set back mobile voting | Lucas Mearian/Computerworld

A coding flaw and lack of sufficient testing of an application to record votes in Monday’s Iowa Democratic Presidential Caucus will likely hurt the advancement and uptake of online voting. While there have been hundreds of tests of mobile and online voting platforms in recent years – mostly in small municipal or corporate shareholder and university student elections – online voting technology has yet to be tested for widespread use by the general public in a national election. “This is one of the cases where we narrowly dodged a bullet,” said Jeremy Epstein, vice chair of the Association for Computing Machinery’s US Technology Policy Committee (USTPC). “The Iowa Democratic Party had planned to allow voters to vote in the caucus using their phones; if this sort of meltdown had happened with actual votes, it would have been an actual disaster. In this case, it’s just delayed results and egg on the face of the people who built and purchased the technology.” The vote tallying app used Monday in the Iowa Caucus was created by a small Washington-based vendor called Shadow Inc.; the app was funded in part by a nonprofit progressive digital strategy firm named Acronym. Today, Acronyn strived to make it clear through a tweet it did not supply the technology for the Iowa Caucus, and it is no more than an investor.

Washington: Voting by Phone Gets a Big Test, but There Are Concerns | Emily S. Rueb/The New York Times

More than a million registered voters in the Seattle area can now cast a ballot for an obscure election using a smartphone or computer. Organizers are calling the pilot program the largest mobile voting effort in the country. Julie Wise, the director of elections in King County, said the election would be “a key step in moving toward electronic access” for voters across the region, in a statement released on Wednesday from Tusk Philanthropies, the nonprofit partnering with the county’s board of elections. The vote in King County, Wash., which includes Seattle, will fill an open spot on the board of the King Conservation District, an agency that manages natural resources. Beginning this week, eligible voters will be able to use a smartphone or computer to log into a portal created by Democracy Live, a Seattle-based company that receives government funding. “There’s no special app, there’s no electronic storage of votes. Instead a voter’s choice is recorded onto a PDF, which they then verify before submission,” Ms. Wise said in an email on Thursday. Once the ballots are received, the board will follow the same processing protocols that are used for mail-in ballots, she added.