House Bill 1475 would transform how many voters in the state of Washington cast their ballots. Rather than trooping to the ballot box or mailing in absentee ballots, the bill would have allowed some voters, like those overseas or disabled, to vote and return their ballots online.
Election security experts have determined time and again that any kind of online ballot processing poses significant risks to the integrity, security and privacy of votes. Nonetheless, HB 1475 — and efforts in other states and at the federal level — embraces this controversial technology.
At the center of the effort to pass laws incorporating online voting is a company called Democracy Live.
At a Jan. 25 hearing before the State Government and Tribal Relations Committee of Washington’s lower house, Democracy Live CEO Bryan Finney and King County Director of Elections Julie Wise made the case for incorporating online voting.
Wise, who oversees elections in Washington’s most populous county, told the committee that she would follow up by emailing a letter from the University of Washington’s Center for Information Assurance and Cybersecurity, “where they go into great depth of reviewing what we’re talking about today.”
That letter was supposed to provide a testament to the security of Democracy Live’s products but did not disclose that one of the two people who signed the letter, Michael Hamilton, was a paid consultant for Democracy Live while testifying to the security of the company’s products. It also fails to mention that Democracy Live paid University of Washington employee Ran Hinrichs to serve as a project manager for work leading up to the letter, including an unpublished study referenced in it.
This conversation isn’t just happening in Washington. Legislators across the U.S. are considering various forms of online voting. In Vermont, H.429, would allow anyone currently voting absentee to vote online. That measure has passed the House and is being heard in the Senate Committee on Government Operations on Wednesday. New Jersey Assembly Bill No. A4746 requires the availability of accessible mail-in ballots for voters with disabilities and allows internet return of ballots. In Washington, D.C., lawmakers considered amendments to the National Defense Authorization Act of Fiscal Year 2022 that would have allowed service members stationed abroad to vote online.
Companies such as Democracy Live stand to benefit from this growing embrace of online voting, and to make the case that online voting systems are secure, Democracy Live helped fund and guide research aimed at dismissing concerns from many experts. Democracy Live then used this material to counter academic work that documented the security flaws of the company’s technology, according to emails and documents obtained in response to a public records request.
“What these people are advocating is something that the consensus of experts in the field has been extremely clear and unequivocal about being something we can’t do,” said Matt Blaze, McDevitt Chair of Computer Science and Law at Georgetown University.
A mystery letter
Founded in 2007, Democracy Live specializes in online voting technology for deployed service members, overseas voters and voters with disabilities. Its flagship product is OmniBallot, which allows voters to download a blank ballot and mark it manually, mark a ballot online and download the completed ballot as a PDF, or mark a ballot online and return it via an online portal.
In 2021, a pair of prominent election security researchers concluded in a study that the company’s flagship product is riddled with flaws. “We conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection,” Michael Specter of the Massachusetts Institute of Technology and J. Alex Halderman of the University of Michigan wrote in a study published as part of the Usenix computer security conference in August of 2021.
The five-page letter dated November 2021 from the University of Washington’s Center for Information Assurance and Cybersecurity and referenced at the January hearing was intended to counter this research.
The letter does not include a security audit of OmniBallot; rather, it broadly argues that because federal agencies transmit sensitive documents using cloud computing, it’s likely that ballots can also be securely transmitted via the cloud. (One version of the letter was addressed to Secretaries of State, elections directors, and cybersecurity staff in support of a proposed amendment on electronic ballot transmission in the National Defense Authorization Act.)
In a video interview, Hamilton, one of the letter’s two signatories, told CyberScoop he did not disclose his affiliation with Democracy Live in the letter because he didn’t think it was relevant. While he is no longer a consultant for Democracy Live, Hamilton is still listed on their website’s leadership team page as Chief Security Consultant. In the letter, he lists many other credentials, including that he previously developed algorithms for hyperspectral remote sensing as an ocean scientist at the NASA Jet Propulsion Laboratory.
The letter’s other signatory was Barbara Endicott-Popovsky, who is listed as the Executive Director of the Center for Information Assurance and Cybersecurity at the University of Washington. The letter is written on letterhead bearing the University of Washington logo, followed by “University of Washington CIAC” and “Center for Information Assurance and Cybersecurity.”
Endicott-Popovsky is not affiliated with the Computer Science and Engineering Department on the main campus of the University of Washington campus, according to a University of Washington spokesperson. She served as the executive director of CIAC in a satellite campus in Bothell, Washington, “but she is no longer at the UW and the center no longer exists.”
“Faculty members and other researchers are free to express their views, but that those do not necessarily reflect those of the University of Washington,” a spokesperson wrote.
Endicott-Popovsky wrote in an email that she was not a spokesperson for Democracy Live and referred CyberScoop to Finney.
Although the letter appears to cite unbiased research from the University of Washington, the lack of transparency raises questions about the integrity of the academic work and whether the purpose was truly to conduct a risk assessment of voting technologies or to paint a favorable picture of the company and a technology that has repeatedly come under fire.
Hamilton and Popovsky’s letter uses Democracy Live’s own definitions for “voter verified paper ballots” and “internet voting.” It states that voting over an internet portal leads to a “voter verified paper ballot” even though voters themselves do not actually verify or even view the paper that a polling place receives — so the paper ballots generated are not voter-verifiable in the typical sense.
The Election Assistance Commission defines a voter-verified paper trail as “physical paper records of voter ballots as voters have cast them on an electronic voting system,” and states that the “voter-verified” part of the voter-verified paper trail “refers to the fact that the voter is given the opportunity to verify that the choices indicated on the paper record correspond to the choices that the voter has made in casting the ballot.”
Democracy Live’s system, Halderman said, is “not a voter verified paper trail in any sense of the word.”
The letter further claims that Democracy Live’s “cloud-based ballot transmission” system does not qualify as online voting in part because votes aren’t tabulated online. However, the EAC defines internet voting as “the return of a voted ballot or voter information packet by email or through the use of an Internet supported application.”
Manufacturing a research agenda
The Specter-Halderman study created a major headache for Democracy Live.
Speaking at the Jan. 25 hearing, Finney, the Democracy Live CEO, tried to shrug it off as a “term paper.” Hamilton, the letter signatory, told CyberScoop he believed the paper was written by an undergraduate student, was never peer-reviewed and never published in an academic journal.
In fact, the study’s authors are leading election technology security experts, and the paper did go through the peer review process and was published at the Usenix Security conference in 2021, one of the most prestigious and competitive venues for security research. That year, the acceptance rate for papers was 19%.
To counter that study, Democracy Live recruited Hamilton, Endicott-Popovsky and Ran Hinrichs, who is currently listed on the University of Washington website as an instructional assistant. Emails released in response to a public records request indicate that Democracy Live agreed to pay Hinrichs $90 an hour (up to $15,000) as a project manager and to coordinate between Finney, Hamilton, Endicott-Popovsky and a team of recent graduates to manage a research project that was meant to culminate in a risk and threat analysis report by the University of Washington Center for Information Assurance and Cybersecurity.
Endicott-Popovsky would provide “academic oversight including publication oversight,” the recent graduates would provide a risk analysis, and Hinrichs would provide “neutral communication” between Finney and Hamilton, her and the recent graduates, according to emails reviewed by CyberScoop.
But communication about the project did not appear entirely neutral. Both Finney and Hinrichs referred to those raising security issues about online voting as “the opposition.”
Hinrichs saw countering the MIT paper as one of his goals. “We want to have something in the end that a Senator, or a Secretary of State can put side by side with the Specter paper,” Hinrichs wrote in an email to his colleagues on the project.
Hinrichs did not respond to an email request for an interview.
Finney reviewed drafts of the risk analysis, provided edits, suggested limiting the scope of the study to fit his political needs, and tried to time publication to coincide with his meetings with legislators and policy makers. Finney stated that the best use of his expertise would be to review the academic paper drafted by the University of Washington team.
“We need an academic paper that can balance the outdated antagonistic literature that is being circulated to members of Congress and policy makers,” Finney wrote in one email to his colleagues. “Of course, the goal of this paper will be for it to be academically acceptable and easily digestible by legislators and policy makers to decide whether to allow cloud computing to transmit ballots, compared to email and fax.”
“I am happy to review once again after it is converted into an academic paper,” Finney added. “I think that will be the best use of my SME.”
Based on emails reviewed by CyberScoop, Hinrichs offered Democracy Live the chance to shape the final document, asking Finney and Democracy Live CTO Island Pinnick for “executive bullet points on what you think the paper should say a) technically (Island), b) politically (Bryan).”
“I bet we have them covered, but it would be great to get an image of your brain,” he wrote.
Finney also had the opportunity to suggest deletions. In an email asking for markups, Hinrichs wrote, “I’d like to make sure that Barbara doesn’t have to go over anything you’ve rejected as our Subject Matter Expert.”
In an email to CyberScoop, Finney said his company provided input to the report. “We provided subject matter expertise on how our system works and the elections-related background around the laws and the various electronic ballot transmission options,” Finney told CyberScoop in an email. In a separate interview, Finney said he was unfamiliar with typical protocols for disclosing funding for academic research. “We’re not trying to hide anything,” he said.
Additionally, Finney tried to control the timing of the report, asking for it to be released before a meeting to discuss the future of online voting technology with Washington state’s then-secretary of state, Kim Wyman.
“Having your report out in advance of the meeting with the SoS would be extremely helpful,” Finney wrote in a Sept. 16, 2021, email. “She gave me a mission over a year ago to bring her a report from an academic that stated this technology could be responsibly deployed.”
A spokesperson for the Cybersecurity and Infrastructure Security Agency, where Wyman is now a senior advisor, did not immediately return a request for comment about communication between Finney and Wyman.
In March 2022, Finney emailed Hinrichs in hopes of getting the unpublished academic paper up on the University of Washington website. “Is there a UW page for papers like these? Do you have any way of posting the paper somewhere so the link can be socialized among policy makers?”
As Congress considered an amendment to the National Defense Authorization Act for Fiscal Year 2022, H.R. 4350, that would have allowed servicemembers posted abroad to vote electronically, Finney was eager to get the work of the University of Washington researchers in front of staffers of Sen. Jack Reed, D-R.I., the powerful chair of the Senate Armed Services Committee.
“The Chief of Staff for Sen. Jack Reed was hoping to send the link to his colleagues as Congress is currently deliberating the issues that were raised in the paper,” Finney wrote in an email on March 10, 2022.
Reed’s press secretary, Chip Unruh, was unable to verify that Finney had been in touch with Reed’s office. “I did find a zoom meeting that this individual participated in with a member of our staff. But rest of info doesn’t track,” he wrote in an email.
Getting Democracy Live’s materials in front of lawmakers “would help balance the individual academics from Princeton, MIT, Cal Tech, Stanford, Michigan, et al who are essentially saying keep fax and email voting and do not move toward cloud computing to electronically transmit ballots,” Finney added, referring to a letter of concern from election security experts about the risks of embracing online voting technology.
Including the online voting amendment in the NDAA would likely have represented a major windfall for Democracy Live. “That [amendment] would have put big federal dollars into National Defense authorization, which would translate to big federal dollars for Democracy Live,” said Susan Greenhalgh, senior adviser on election security at Free Speech for People.
An inherently insecure technology
Finney maintains that OmniBallot remains more secure than current voting via email attachment or fax, which have been used by some overseas military voters and some voters with disabilities. “OmniBallot is constantly evolving and improving and has had more independent testing than any other electronic ballot transmission technology,” he told CyberScoop. “Nothing is a hundred percent, so the question is: Can we make it as secure as possible while not ignoring underserved, disenfranchised voters?”
Election security experts are skeptical. Despite Democracy Live’s focus on the work of Specter and Halderman, Specter points out that he is far from alone in seeing internet voting as far too risky and that this is a consensus finding among the academic and security communities. “It’s not just me saying this,” he said.
A 2018 National Academy report, a risk assessment by the Department of Homeland Security, FBI, the Election Assistance Commission, and the National Institute for Standards and Technology and a working group statement from UC-Berkeley’s Center for Security in Politics all conclude that current technology is not yet able to provide the level of security needed for widespread use in public elections.
“Internet voting itself is a research problem. It’s not a problem that can be solved by better engineering as far as I can tell,” Specter said. “We don’t really know how to do it appropriately yet.”
Even if Democracy Live were to make reports of its security tests public, it might not be enough to garner confidence because penetration testing doesn’t encompass all the ways that a system might fail, such as bugs in the underlying operating system of a server or computer. Blaze believes testing is not useful for providing assurance that nobody else is going to come along and find a bug and exploit it.
“Replacing an insecure system with another insecure system that has additional ways in which it can fail because it has a much larger attack surface is not an improvement,” Blaze said. “The ways in which systems like this can fail and can be attacked have very serious consequences for the integrity of the election. And the more people using it, the more serious those consequences are.”
But Finney is still holding out hope and plans to restart work with Endicott-Popovsky, who is now at Portland State University, to see if the research can be updated with Democracy Live’s most recent testing and advancements.