J. Alex Halderman,

Security Analysis of the Democracy Live Online Voting System

Michael A. Specter,

specter@mit.edu // mspecter@

This is a security analysis of anInternet Voting system used in the 2020

U.S. Federal elections.

2

3

Disclaimer

4

● Nothing in this work indicates that the 2020 presidential election was “hacked”

● To the best of our knowledge, OmniBallot was (thankfully)not used in Pennsylvania, Georgia, or Arizona

● We stand by the letter we signed, along with ~50 other elections security researchers: there is no compelling evidence of computer fraud in the 2020 presidential election outcome

○ mattblaze.org/papers/election2020.pdf

Motivation

5

Last year, USENIX Security ‘20:

6

7

Yet Another Internet Voting System!

● Previously adopted in:○ 7 state governments○ 98 jurisdictions in 11 states

● Planned adoption for 2020 presidential primaries

○ West Virginia■ ~22%

○ Delaware & New Jersey■ 100% of voters

8

Does Democracy Live’s system fare any better than Voatz?

9

Complications

10

Requirements of voting systems are subtle

11

● Correctness & Usability○ Counted as cast, cast as intended, (only) accessible to all eligible voters

● Privacy○ An attacker cannot learn a voter’s selections

● Receipt Freeness○ No voter can prove the way they voted after the fact

● Coercion Resistance○ Voter cannot cooperate with an attacker to prove the way they voted

● End to end verifiability (E2E-V)○ Voters have proof that their vote was counted correctly

Democracy Live’s OmniBallot has Three Modes!

12

1. Electronic Ballot Delivery

Ballot is physically marked, printed, and mailed

2. Remote Accessible Vote By Mail (RAVBM)

Ballot is marked electronically, physically printed, & mailed

3. Full-on Internet Voting

Ballot is marked electronically & returned via email or over Democracy Live’s system

Research Questions

13

1. How well does Democracy Live achieve Correctness, Privacy, Receipt Freeness, and Coercion Resistance?○ Is it End to End Verifiable (E2E-V)?

2. What are the non-ballot privacy properties of the system?3. How well do the other “modes” of Democracy Live fare,

and how does one begin to analyze them?

General Obnoxiousness

14

15

16

17

18

Google’s privacy policy, not DL’s!

There is no OmniBallot privacy policy.

19

20

21

22

23

24

Let’s report a bug!

25

26

Significantly Complicated the Methodology

● Constraints○ Can’t touch server infrastructure (legal & ethical concerns)○ Must make assumptions about the backend

● Solution○ Manually reverse engineer obfuscated client○ Iteratively reimplement the server-side○ Assume the best possible case for the backend in analysis

Analysis of the system as of June 202027

Results

28

29

30

= Client

= Server

= Third Parties (Amazon, Google, Cloudflare)

Attacks:

Privacy

● Collects voter’s name, address, DoB, partial SSN, and browser fingerprint● Uploads the voter’s secret ballot selections

even if the voter prints & physically mails in the ballot● Uses Google Analytics, and Google gets your voter ID & party affiliation● Again, no privacy policy, no public restriction on use of data

31

Conclusions

32

Deployed Internet Voting Systems:

33

Deployed Before Public Analysis

Democracy Live (Specter et al. ‘21) ✓

Voatz (Specter et al. ‘20) ✓

Swiss Post (Teague et al. ‘20) ✓

Moscow (Gaudry et al. ‘19) ✓

Estonia (Springall et al. ‘15) ✓

Deployed Internet Voting Systems:

34

Deployed Before Public Analysis

Democracy Live (Specter et al. ‘21) ✓

Voatz (Specter et al. ‘20) ✓

Swiss Post (Teague et al. ‘20) ✓

Moscow (Gaudry et al. ‘19) ✓

Estonia (Springall et al. ‘15) ✓

Deployed Internet Voting Systems:

35

Deployed Before Public Analysis

Barriers to Analysis & Disclosure

Democracy Live (Specter et al. ‘21) ✓ ✓

Voatz (Specter et al. ‘20) ✓ ✓

Swiss Post (Teague et al. ‘20) ✓ ✓

Moscow (Gaudry et al. ‘19) ✓ ✓

Estonia (Springall et al. ‘15) ✓ ✓

Deployed Internet Voting Systems:

36

Deployed Before Public Analysis

Barriers to Analysis & Disclosure

Poor / Misleading Documentation

Democracy Live (Specter et al. ‘21) ✓ ✓ ✓

Voatz (Specter et al. ‘20) ✓ ✓ ✓

Swiss Post (Teague et al. ‘20) ✓ ✓

Moscow (Gaudry et al. ‘19) ✓ ✓ ✓

Estonia (Springall et al. ‘15) ✓ ✓ ✓

Deployed Internet Voting Systems:

37

Deployed Before Public Analysis

Barriers to Analysis & Disclosure

Poor / Misleading Documentation

Implementation & Design Flaws

Democracy Live (Specter et al. ‘21) ✓ ✓ ✓ ✓

Voatz (Specter et al. ‘20) ✓ ✓ ✓ ✓

Swiss Post (Teague et al. ‘20) ✓ ✓ ✓

Moscow (Gaudry et al. ‘19) ✓ ✓ ✓ ✓

Estonia (Springall et al. ‘15) ✓ ✓ ✓ ✓

● Contributions:○ Security analysis of a deployed Internet voting system in U.S. federal elections○ First analysis of an RAVBM system○ Found a number of security & privacy issues

● Impact:○ New Jersey & Delaware halted use of OmniBallot for Internet voting!○ However, still used in West Virginia and Denver in November 2020

Contributions & Impact

38specter@mit.edu // mspecter@