Elections in five states have used or plan to use OmniBallot's online voting tech.
Democracy Live, the company behind OmniBallot, defended its software in an email response to Ars Technica. "The report did not find any technical vulnerabilities in OmniBallot," wrote Democracy Live CEO Bryan Finney.
OmniBallot is election software that is used by dozens of jurisdictions in the United States. In addition to delivering ballots and helping voters mark them, it includes an option for online voting. At least three states—West Virginia, Delaware, and New Jersey—have used the technology or are planning to do so in an upcoming election. Four local jurisdictions in Oregon and Washington state use the online voting feature as well. But new research from a pair of computer scientists, MIT's Michael Specter and the University of Michigan's Alex Halderman, finds that the software has inadequate security protections, creating a serious risk to election integrity.
Experimenting with a live election system would be unethical and likely illegal. Instead, Specter and Halderman obtained a copy of the OmniBallot software, reverse-engineered it, and then created new server software that mimicked the behavior of the real server. This allowed them to experiment with the software without risking interference with a real election.
Democracy Live conducts post-election audits using Amazon's AWS CloudTrail software to verify that no Democracy Live employees abused their access to company servers. These checks could detect some forms of election tampering, but Specter and Halderman point out that they are far from foolproof.
Most states have heeded the experts' warnings and shied away from online voting. But a few have pushed forward, drawing the ire of computer security researchers in the process.