RALEIGH — In 2020, N.C. State Board of Elections Director Karen Brinson Bell made a successful push for the state to establish an online absentee ballot portal during COVID-19, however, emails show such a portal was already in the works long before the pandemic began.
Emails obtained by North State Journal show discussions between the N.C. State Board of Elections (NCSBE) and Democracy Live about adding an online absentee ballot portal happening as early as June of 2019; almost nine months prior to the emergence of COVID-19 in the state.
Democracy Live’s system utilizes “OmniBallot,” an online ballot replication system. The online absentee ballot portal powered by Democracy Live was first publicly named by the NCSBE in September of 2020.
According to a 2020 security analysis of OmniBallot conducted by Michael Specter of MIT and J. Alex Halderman of the University of Michigan, “OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or CloudFlare.”
The records request also revealed that Democracy Live offered grant funding from a Democrat-tied organization called Tusk Philanthropies to NCSBE officials to help pay for an online absentee ballot portal.
President of Democracy Live Bryan Finney confirmed in an email that North Carolina declined the Tusk grant offer but did not answer how and why the grants came into play or how much the grants were for and which states took them up on the offer.
When asked about the grant, Bell and the NCSBE responded in an email to North State Journal that “We did not request nor receive a grant from Tusk Philanthropies.”
“We met the Tusk grant team at an elections conference in 2019 and they described their grant program to aid states or counties that wanted to pilot alternative methods of electronic ballot transmission but did not have the funding,” Finney said in response to questions from North State Journal about the grant. “Since the #1 reason states and counties still transmit ballots by fax machines and email attachments is due to a lack of funding, we thought the grant program could be helpful.”
Tusk Philanthropies is one of several properties housed under Tusk Venture Partners, a New York-based venture capital firm that is one of the several Tusk entities.
Tusk was founded in 2011 by Democrat political strategist Bradley Tusk, who was the acting campaign manager for Michael Bloomberg’s successful 2009 mayoral re-election bid. Tusk Philanthropies was headed up by Sheila Nix, the former chief of staff to Jill Biden when her husband served as vice president under the Obama administration.
Tusk Philanthropies has not yet responded to requests for comment.
The Tusk grant money is similar to cases in multiple states where money from outside entities flowed into elections systems during 2020 such as grants issued by the Schwarzenegger Foundation and Facebook’s Center for Tech and Civic Life (CTLC).
An investigation by North State Journal found that the Schwarzenegger Institute dropped almost $190,000 into NC 2020 elections. Mark Zuckerberg, through CTLC, funneled over $419 million into 49 states during the 2020 election cycle. Thirty-five North Carolina counties received CLTC funds and the state overall received over $5.395 million from the group. The N.C. State Board of Elections received $1 million of that total.
The General Assembly passed a bill in 2021 to bar outside money in state elections like the funds that flowed into North Carolina during 2020, however, Gov. Cooper vetoed the measure. In his veto message, Cooper said money received in 2020 from outside entities was “needed for necessities” and “other protective equipment” related to the pandemic while also defending taking outside money by accusing the legislature of not properly funding state elections.
DEMOCRACY LIVE AND OMNIBALLOT
Democracy Live was launched in 2007 and boasts it is “the only cloud-based balloting provider.”
The organization’s website states their applications have been “deployed in 4,000 elections, serving over 10 million voters in 2,500 jurisdictions and 21 states.” The system has apparently been used in the past by the U.S. State Department and by Department of Defense personnel.
Additionally, the group’s website claims that due to partnerships with Amazon and Microsoft, “Democracy Live is the largest provider of cloud and tablet-based voting technologies in the U.S.”
The organization is also the creator of “OmniBallot,” a web-based, digital balloting system used for blank ballot delivery and ballot marking, that also offers an option of online voting.
In an email response to North State Journal, NCSBE’s Brinson Bell confirmed that OmniBallot for North Carolina “absentee ballot requests, Federal Post Card Application requests through the Federal Voting Assistance Program, Uniformed and Overseas Citizens Absentee Voting Act returns and visually impaired voter returns and sample ballots.” Brinson Bell also told North State Journal “We only use the OmniBallot Online, not OmniBallot Tablet.”
As previously mentioned, OmniBallot has been cited as having numerous security issues according to the Specter/Halderman 2020 security analysis.
The analysis states that, “Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information including the voter’s identity, ballot selections, and browser fingerprint that could be used to target political ads or disinformation campaigns.”
The security report also says, “Even when OmniBallot is used to mark ballots that will be printed and returned in the mail, the software sends the voter’s identity and ballot choices to Democracy Live, an unnecessary security risk that jeopardizes the secret ballot.”
The analysis concluded that “using OmniBallot for electronic ballot return represents a severe risk to election security” and could allow attackers to alter election results without detection.”
Specter and Halderman conducted some reverse engineering and revealed that Omniballot’s architecture for how they load information to their servers as problematic.
“The app runs JavaScript loaded from Amazon, Google, and CloudFlare, making all three companies (as well as Democracy Live itself) potential points of compromise for the election,” reads the text accompanying a graphic on Omniballot’s architecture.
Specter and Halderman also found Democracy Live receives each voter’s Personally Identifiable Information (PII) including party, DOB and partial social security numbers and that the group receives browser fingerprint from each user, making voters a potential target for bad actors, scams, hacking or other problematic activities.
Brinson Bell did not answer North State Journal’s question on whether or not she or her staff were aware of or had read the Specter/Halderman report on OmniBallot’s vulnerabilities.
“We reviewed guidance (marked For Official Use Only) from the Cybersecurity & Infrastructure Security Agency (CISA) of the Department of Homeland Security, which provided a risk overview,” wrote Brinson Bell. “An online portal posed less risk than continuing to rely on email, which can be easily phished, spammed and subject to malware. The portal also ensures compliance with state and federal law.”
Additionally, the pair found that ballot selections made by a voter are sent to Democracy Live’s servers even if the voter opts to print their own ballot.
Democracy Live uses CloudFlare to replicate its services on foreign-based servers as a part of its CDN (Content Delivery Network) services to overseas voters, including military voters. Routing voters through foreign services breaks legal protections for U.S. voters.
Finally, CISA created draft guidelines for Internet Voting which discourages using many of the features found in OmniBallot.
The guidelines were included in a report titled, “Risk Management for Electronic Ballot Delivery, Marking, and Return.” A search of the CISA website in 2022 did not find this report, however, a copy was uploaded to the document repository website Scribd by The Guardian.
When asked if the Omniballot system had ever received a forensic security audit after the 2020 election by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.S. Elections Assistance Commission (EAC), or any other official US entity, Finney told North State Journal that “We completed a CISA and DHS review in 2020.”
“We have recently reached out to CISA to schedule another review and are waiting to hear back from CISA,” Finney wrote.
In response to questions on whether or not Omniballot had ever been certified by an official Voting Systems Test Laboratory (VSTL) for compliance with EAC and NIST standards, Finney said neither entity had a certification program for non-voting tabulation systems.
“The only systems the EAC certifies are tabulation voting systems. (We have asked.) They do not certify voter registration, poll books, election night reporting, or ballot transmission technologies,” wrote Finney. He also said that his company had asked EAC in 2016 and were told the EAC cannot certify non-tabulation systems.
