Post on 21-Apr-2022
J. Alex Halderman,
Security Analysis of the Democracy Live Online Voting System
Michael A. Specter,
specter@mit.edu // mspecter@
This is a security analysis of anInternet Voting system used in the 2020
U.S. Federal elections.
2
3
Disclaimer
4
● Nothing in this work indicates that the 2020 presidential election was “hacked”
● To the best of our knowledge, OmniBallot was (thankfully)not used in Pennsylvania, Georgia, or Arizona
● We stand by the letter we signed, along with ~50 other elections security researchers: there is no compelling evidence of computer fraud in the 2020 presidential election outcome
○ mattblaze.org/papers/election2020.pdf
Motivation
5
Last year, USENIX Security ‘20:
6
7
Yet Another Internet Voting System!
● Previously adopted in:○ 7 state governments○ 98 jurisdictions in 11 states
● Planned adoption for 2020 presidential primaries
○ West Virginia■ ~22%
○ Delaware & New Jersey■ 100% of voters
8
Does Democracy Live’s system fare any better than Voatz?
9
Complications
10
Requirements of voting systems are subtle
11
● Correctness & Usability○ Counted as cast, cast as intended, (only) accessible to all eligible voters
● Privacy○ An attacker cannot learn a voter’s selections
● Receipt Freeness○ No voter can prove the way they voted after the fact
● Coercion Resistance○ Voter cannot cooperate with an attacker to prove the way they voted
● End to end verifiability (E2E-V)○ Voters have proof that their vote was counted correctly
Democracy Live’s OmniBallot has Three Modes!
12
1. Electronic Ballot Delivery
Ballot is physically marked, printed, and mailed
2. Remote Accessible Vote By Mail (RAVBM)
Ballot is marked electronically, physically printed, & mailed
3. Full-on Internet Voting
Ballot is marked electronically & returned via email or over Democracy Live’s system
Research Questions
13
1. How well does Democracy Live achieve Correctness, Privacy, Receipt Freeness, and Coercion Resistance?○ Is it End to End Verifiable (E2E-V)?
2. What are the non-ballot privacy properties of the system?3. How well do the other “modes” of Democracy Live fare,
and how does one begin to analyze them?
General Obnoxiousness
14
15
16
17
18
Google’s privacy policy, not DL’s!
There is no OmniBallot privacy policy.
19
20
21
22
23
24
Let’s report a bug!
25
26
Significantly Complicated the Methodology
● Constraints○ Can’t touch server infrastructure (legal & ethical concerns)○ Must make assumptions about the backend
● Solution○ Manually reverse engineer obfuscated client○ Iteratively reimplement the server-side○ Assume the best possible case for the backend in analysis
Analysis of the system as of June 202027
Results
28
29
30
= Client
= Server
= Third Parties (Amazon, Google, Cloudflare)
Attacks:
Privacy
● Collects voter’s name, address, DoB, partial SSN, and browser fingerprint● Uploads the voter’s secret ballot selections
even if the voter prints & physically mails in the ballot● Uses Google Analytics, and Google gets your voter ID & party affiliation● Again, no privacy policy, no public restriction on use of data
31
Conclusions
32
Deployed Internet Voting Systems:
33
Deployed Before Public Analysis
Democracy Live (Specter et al. ‘21) ✓
Voatz (Specter et al. ‘20) ✓
Swiss Post (Teague et al. ‘20) ✓
Moscow (Gaudry et al. ‘19) ✓
Estonia (Springall et al. ‘15) ✓
Deployed Internet Voting Systems:
34
Deployed Before Public Analysis
Democracy Live (Specter et al. ‘21) ✓
Voatz (Specter et al. ‘20) ✓
Swiss Post (Teague et al. ‘20) ✓
Moscow (Gaudry et al. ‘19) ✓
Estonia (Springall et al. ‘15) ✓
Deployed Internet Voting Systems:
35
Deployed Before Public Analysis
Barriers to Analysis & Disclosure
Democracy Live (Specter et al. ‘21) ✓ ✓
Voatz (Specter et al. ‘20) ✓ ✓
Swiss Post (Teague et al. ‘20) ✓ ✓
Moscow (Gaudry et al. ‘19) ✓ ✓
Estonia (Springall et al. ‘15) ✓ ✓
Deployed Internet Voting Systems:
36
Deployed Before Public Analysis
Barriers to Analysis & Disclosure
Poor / Misleading Documentation
Democracy Live (Specter et al. ‘21) ✓ ✓ ✓
Voatz (Specter et al. ‘20) ✓ ✓ ✓
Swiss Post (Teague et al. ‘20) ✓ ✓
Moscow (Gaudry et al. ‘19) ✓ ✓ ✓
Estonia (Springall et al. ‘15) ✓ ✓ ✓
Deployed Internet Voting Systems:
37
Deployed Before Public Analysis
Barriers to Analysis & Disclosure
Poor / Misleading Documentation
Implementation & Design Flaws
Democracy Live (Specter et al. ‘21) ✓ ✓ ✓ ✓
Voatz (Specter et al. ‘20) ✓ ✓ ✓ ✓
Swiss Post (Teague et al. ‘20) ✓ ✓ ✓
Moscow (Gaudry et al. ‘19) ✓ ✓ ✓ ✓
Estonia (Springall et al. ‘15) ✓ ✓ ✓ ✓
● Contributions:○ Security analysis of a deployed Internet voting system in U.S. federal elections○ First analysis of an RAVBM system○ Found a number of security & privacy issues
● Impact:○ New Jersey & Delaware halted use of OmniBallot for Internet voting!○ However, still used in West Virginia and Denver in November 2020
Contributions & Impact
38specter@mit.edu // mspecter@