OmniBallot Online and LiveBallot
Make / Model: Democracy Live OmniBallot Online and LiveBallot
Equipment Type: Remote Ballot Marking System or Internet Voting System
Democracy Live’s OmniBallot Online system is a web-based platform that supports electronic blank ballot delivery, online ballot marking, and the electronic return of voted ballots (internet voting). OmniBallot Online is hosted on Amazon Web Services (AWS) cloud and can be configured and customized by jurisdictions to appear in different languages, require different levels of voter identification, and be hosted by the jurisdiction. OmniBallot Online is a server-side system, meaning a voter’s selections are sent to a remote server is employed for ballot marking and creation.
OmniBallot Online’s predecessor, LiveBallot, launched in 2008 and was first used in an election in 2010. In 2020, OmniBallot Online system is available to Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) voters and voters with disabilities Voters with disabilities — it is not available in any jurisdictions for all registered voters. Voters with disabilities can use their own Audio-Tactile Interface (ATI) to mark their ballots through the system. Five counties in Florida continue to use the LiveBallot system.
Voters can access OmniBallot Online via a link from their county. They may receive this link via email or may be directed to the web application through their jurisdiction’s elections website. To access the system, a voter inputs varying levels of personal identifying information, such as their first and last name and date of birth. Submitting this information allows the system to provide the voter with the proper ballot style. The voter then may be required to further confirm their identity with a PIN received from their county and the last four digits of their Social Security Number (SSN).
The voter can access their electronic ballot on a computer, tablet, or mobile phone. The candidate and ballot initiative choices appear underneath headers (e.g. Representative to Congress). To make selections, a voter selects the box to the left of a candidate’s name and a check mark appears. To deselect a candidate, a voter selects the box again. To write in a candidate, a voter selects the box next to “(Write-in)” and then types in their selection. Voters receive instructions under the header to vote for one or vote for two candidates. Voters are prevented from overvoting and receive a warning if they attempt to overvote.
After completing the ballot marking process, the voter selects “Continue” to move to the Selection Review screen, where the voter is presented with a summary of their selections and is notified of any undervotes (e.g. “Missing 1 of 2 selections”). The voter can select CHANGE to return to any contest and resolve their undervotes or change their chosen selections. The voter then selects CONTINUE and, depending on the jurisdiction’s voted ballot return options, either prints their selections or makes their own determination of how to return their ballot (e.g. submit via fax, submit via email, or submit through the online portal). OmniBallot Online supports the electronic return of a voter’s voted ballot through the web portal (internet voting).
In a jurisdiction that requires voters to print and return their voted ballot by mail or drop off, the voter selects PRINT SELECTIONS to print a summary ballot, with only the voter’s selections listed. Depending on the jurisdiction, the summary ballot may include a bar code or QR code, which encodes the voter’s selections and allows the voter’s county or state to automatically duplicate their ballot onto scannable ballot stock. Some jurisdictions require a bipartisan team to manually remake ballots.
The voter will not have a chance to review this ballot before it is tabulated. After printing their summary ballot, the voter next selects CONTINUE to download their return packet, which, depending on the jurisdiction, may include instructions for returning a voted ballot and the voter oath, which must be signed or marked by the voter and signed by a witness. The return package downloads to the voter’s computer with a file name that is a string of letters and numbers. After downloading their return package, the voter selects END SESSION, which clears the voter’s ballot selections and prevents the voter from returning to view their ballot online. The voter is offered the option to scan their ballot so the ballot selections can be read back to the voter.
In jurisdictions that allow electronic return of voted ballots (internet voting), the voter is prompted to electronically sign their ballot after approving their selections on the review screen. The voter can use the trackpad on their computer or the screen on their tablet or mobile phone to sign, or can make their signature by typing it their name. The voter next selects CONTINUE. On the Electronic Return screen, the voter next selects VIEW PACKAGE to review their information and electronic signature, which will be matched against the voter’s signature on file with their jurisdiction’s election authority. The voter next reviews their ballot, which is a server-created PDF that looks like a traditional ballot, with all candidates listed — not just a summary ballot of the voter’s choices.
The voter next selects CLOSE PREVIEW, returns to the Electronic Return screen, and selects SUBMIT. The final screen tells the voter that their ballot and ballot return materials have been submitted but to allow up to three business days for their ballot to be processed.
West Virginia uses Democracy Live OmniBallot in 2020 Primary
Democracy Live OmniBallot Mobile Presentation
Michael A. Specter and J. Alex Halderman, Security Analysis of the Democracy Live Online Voting System (2020)
Florida Division of Elections Qualification Test Report: Democracy Live OmniBallot Version 1.1 (2020)
Florida Williams v. DeSantis Summary of Settlement Terms (2020)
Florida Qualification Test Report: Democracy Live LiveBallot, Version 3.0.38 (2016)
Electronic Return of Voted Ballot (Internet Voting) Supported
Every internet-connected system or device, including a remote ballot marking system that allows for the electronic return of voted ballots (internet voting), is vulnerable to attack. Internet voting systems do not provide a voter-verified paper record, which is the most reliable way to recover from an attack and check that the results were not tampered with. In their Security Analysis of the Democracy Live Online Voting System, Michael A. Specter and J. Alex Halderman accordingly note that there are high and even severe risks of using OmniBallot Online. If a hacker interferes with a voter’s selections after they have submitted a ballot, the voter has no way to review their actual printed ballot and likewise has “no practical ability to detect vote-changing attacks involving online ballot return.” There is also currently no trustworthy way for a voter to ensure that somebody else did not vote in their name. Read more about Verified Voting’s stance on internet voting here.
Unreadable Bar Codes and QR Codes
Even for those jurisdictions that provide OmniBallot Online for remote ballot marking only, Specter and Halderman note that an attacker could “encode false votes within barcodes, so that the ballot appears (to a human) to be marked for the voter’s selected candidate but will be counted by an optical scanner as a vote for a different candidate.” Bar codes and QR codes are not readable by humans and, as Specter and Halderman point out, the summary ballot could appear to the voter — or could be scanned and read back to the voter by the system — to be the same selections the voter made; however, when remade onto scannable ballot stock, the bar code or QR code could transpose the voter’s actual selections for those of the hacker’s choice.
Sharing of Voter’s Identity and Selections
In jurisdictions that allow for electronic return of voted ballots (internet voting), a voter can check their choices on the review screen and then download a PDF ballot that looks like a traditional ballot. According to Specter and Halderman, the OmniBallot Online web app “sends the voter’s identity and ballot choices to lambda.omniballot.us in order to generate the marked ballot PDF file,” so “an attacker with only passive access to the data processed by this service can learn voters’ ballot selections” and “misdirect certain ballots or cause them to be scanned as a vote for a different candidate.” Because voters often do not thoroughly review their printed ballots that they have marked on ballot marking devices at polling places, they would likely fail to notice this type of attack on their remotely marked PDF ballot and might submit it electronically without a thorough review.
AWS Cloud Hosting
Democracy Live also notes that OmniBallot Online uses AWS “Object Lock” so that, once a ballot is stored in the AWS cloud, a voter’s selections cannot be changed. However, as Specter and Halderman point out in their report, Object Lock can only protect files from modification after they are stored, meaning this technology does nothing to prevent modification of the ballot before it is stored. AWS Object Lock “also cannot protect ballots from modification by insiders at Amazon with internal access to the storage system, and, Democracy Live appears to use Object Lock in “governance mode,” the protections can be bypassed by the root user or other insider accounts with special permissions.”
Democracy Live was founded by Bryan Finney in 2007. In 2020, the company offers LiveBallot, an interactive ballot that provides voters information about candidates and issues, OmniBallot Online, Secure Select, and OmniBallot Tablet, which is used in polling locations and integrates with tabulation systems on the market.