Democracy Live’s OmniBallot Online system is a web-based platform that supports electronic blank ballot delivery, online ballot marking, and the electronic return of voted ballots (internet voting). OmniBallot Online is hosted on Amazon Web Services (AWS) cloud and can be configured and customized by jurisdictions to appear in different languages, require different levels of voter identification, and be hosted by the jurisdiction. OmniBallot Online is a server-side system, meaning a voter’s selections are sent to a remote server is employed for ballot marking and creation. Voters with disabilities can use their own Audio-Tactile Interface (ATI) to mark their ballots through the system; however, voters utilizing screen readers must turn off their screen readers to sign their name, before turning it back on to submit their ballot.

OmniBallot Online’s predecessor, LiveBallot, launched in 2008 and was first used in an election in 2010. Some counties in Florida continue to use the LiveBallot system.

Voters can access OmniBallot Online via a link from their county. They may receive this link via email or may be directed to the web application through their jurisdiction’s elections website. To access the system, a voter inputs varying levels of personal identifying information, such as their first and last name and date of birth. Submitting this information allows the system to provide the voter with the proper ballot style. The voter then may be required to further confirm their identity with a PIN received from their county and the last four digits of their Social Security Number (SSN).

The voter can access their electronic ballot on a computer, tablet, or mobile phone. The candidate and ballot initiative choices appear underneath headers (e.g. Representative to Congress). To make selections, a voter selects the box to the left of a candidate’s name and a check mark appears. To deselect a candidate, a voter selects the box again. To write in a candidate, a voter selects the box next to “(Write-in)” and then types in their selection. Voters receive instructions under the header to vote for one or vote for two candidates. Voters are prevented from overvoting and receive a warning if they attempt to overvote.

After completing the ballot marking process, the voter selects “Continue” to move to the Selection Review screen, where the voter is presented with a summary of their selections and is notified of any undervotes (e.g. “Missing 1 of 2 selections”). The voter can select CHANGE to return to any contest and resolve their undervotes or change their chosen selections. The voter then selects CONTINUE and, depending on the jurisdiction’s voted ballot return options, either prints their selections or makes their own determination of how to return their ballot (e.g. submit via fax, submit via email, or submit through the online portal). OmniBallot Online supports the electronic return of a voter’s voted ballot through the web portal (internet voting).

In a jurisdiction that requires voters to print and return their voted ballot by mail or drop off, the voter selects PRINT SELECTIONS to print a summary ballot, with only the voter’s selections listed. Depending on the jurisdiction, the summary ballot may include a bar code or QR code, which encodes the voter’s selections and allows the voter’s county or state to automatically duplicate their ballot onto scannable ballot stock. Some jurisdictions require a bipartisan team to manually remake ballots.

The voter will not have a chance to review this ballot before it is tabulated. After printing their summary ballot, the voter next selects CONTINUE to download their return packet, which, depending on the jurisdiction, may include instructions for returning a voted ballot and the voter oath, which must be signed or marked by the voter and signed by a witness. The return package downloads to the voter’s computer with a file name that is a string of letters and numbers. After downloading their return package, the voter selects END SESSION, which clears the voter’s ballot selections and prevents the voter from returning to view their ballot online. The voter is offered the option to scan their ballot so the ballot selections can be read back to the voter.

In jurisdictions that allow electronic return of voted ballots (internet voting), the voter is prompted to electronically sign their ballot after approving their selections on the review screen. The voter can use the trackpad on their computer or the screen on their tablet or mobile phone to sign, or can make their signature by typing it their name. However, voters utilizing screen readers must turn off their screen readers to sign their name, before turning it back on to submit their ballot. The voter next selects CONTINUE. On the Electronic Return screen, the voter next selects VIEW PACKAGE to review their information and electronic signature, which will be matched against the voter’s signature on file with their jurisdiction’s election authority. The voter next reviews their ballot, which is a server-created PDF that looks like a traditional ballot, with all candidates listed — not just a summary ballot of the voter’s choices.

The voter next selects CLOSE PREVIEW, returns to the Electronic Return screen, and selects SUBMIT. The final screen tells the voter that their ballot and ballot return materials have been submitted but to allow up to three business days for their ballot to be processed.

West Virginia uses Democracy Live OmniBallot in 2020 Primary

USENIX ’21 Security Analysis of the Democracy Live Online Voting System

Democracy Live OmniBallot Online and LiveBallot usage in November 2024
(click map for details)

Resources

Michael A. Specter and J. Alex Halderman, Security Analysis of the Democracy Live Online Voting System (2020)
Florida Division of Elections Qualification Test Report: Democracy Live OmniBallot Version 1.1 (2020)
Florida Williams v. DeSantis Summary of Settlement Terms (2020)
Florida Qualification Test Report: Democracy Live LiveBallot, Version 3.0.38 (2016)

Electronic Return of Voted Ballot (Internet Voting) Supported

Every internet-connected system or device, including a remote ballot marking system that allows for the electronic return of voted ballots (internet voting), is vulnerable to attack. Internet voting systems do not provide a voter-verified paper record, which is the most reliable way to recover from an attack and check that the results were not tampered with. In their Security Analysis of the Democracy Live Online Voting System, Michael A. Specter and J. Alex Halderman accordingly note that there are high and even severe risks of using OmniBallot Online. If a hacker interferes with a voter’s selections after they have submitted a ballot, the voter has no way to review their actual printed ballot and likewise has “no practical ability to detect vote-changing attacks involving online ballot return.” There is also currently no trustworthy way for a voter to ensure that somebody else did not vote in their name. Read more about Verified Voting’s stance on internet voting here.

Sharing of Voter’s Identity and Selections

In jurisdictions that allow for electronic return of voted ballots (internet voting), a voter can check their choices on the review screen and then download a PDF ballot that looks like a traditional ballot. According to Specter and Halderman, the OmniBallot Online web app “sends the voter’s identity and ballot choices to lambda.omniballot.us in order to generate the marked ballot PDF file,” so “an attacker with only passive access to the data processed by this service can learn voters’ ballot selections” and “misdirect certain ballots or cause them to be scanned as a vote for a different candidate.” Because voters often do not thoroughly review their printed ballots that they have marked on ballot marking devices at polling places, they would likely fail to notice this type of attack on their remotely marked PDF ballot and might submit it electronically without a thorough review.

Screen Reader Incompatibility

In 2020, Disability Rights WA, a nonprofit organization protecting the rights of people with disabilities in Washington state, identified an issue with screen reader incompatibility with Apple and Google operating systems. Voters utilizing screen readers must turn off their screen readers to sign their name, before turning it back on to submit their ballot.

AWS Cloud Hosting

Democracy Live notes that the AWS cloud has been certified for use by federal agencies under FedRamp certification, which is used by the Department of Homeland Security, U.S. Department of Defense, FBI, and the NSA. However, as Specter and Halderman point out in their report, when a voter votes or marks their ballot online, the app runs JavaScript loaded from Amazon, Google, and Cloudflare, making all three companies (as well as Democracy Live itself) potential points of compromise.

Democracy Live also notes that OmniBallot Online uses AWS “Object Lock” so that, once a ballot is stored in the AWS cloud, a voter’s selections cannot be changed. However, as Specter and Halderman point out in their report, Object Lock can only protect files from modification after they are stored, meaning this technology does nothing to prevent modification of the ballot before it is stored. AWS Object Lock “also cannot protect ballots from modification by insiders at Amazon with internal access to the storage system, and, Democracy Live appears to use Object Lock in “governance mode,” the protections can be bypassed by the root user or other insider accounts with special permissions.”