Political organization

Democrat-linked organization linked to funding bid for North Carolina mail-in voting portal – The North State Journal

Photo by Karen Brinson Bell via North Carolina State Board of Elections website

RALEIGH — In 2020, North Carolina State Board of Elections Director Karen Brinson Bell successfully lobbied for the state to establish an online mail-in ballot portal during COVID-19, however , the emails show that such a portal was already underway long before the start of the pandemic.

Emails obtained by the North State Journal show discussions between the NC State Board of Elections (NCSBE) and Democracy Live about adding an online mail-in ballot portal as early as June 2019; nearly nine months before COVID-19 emerged in the state.

Democracy Live’s system uses “OmniBallot”, an online ballot replication system. The online mail-in voting portal powered by Democracy Live was first publicly named by the NCSBE in September 2020.

According to a 2020 Security Scan of OmniBallot conducted by Michael Specter of MIT and J. Alex Halderman of the University of Michigan, “OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the user’s device. voter and by insiders or other attackers who may compromise Democracy Live, Amazon, Google or CloudFlare.

The request for documents also revealed that Democracy Live offered a grant from a Democrat-linked organization called Tusk Philanthropies to NCSBE officials to help pay for an online mail-in ballot portal.

Democracy Live President Bryan Finney confirmed in an email that North Carolina declined Tusk’s grant offer, but did not respond to how and why the grants came into play or how much s raised the subsidies and which states had accepted them.

Asked about the subsidy, Bell and the NCSBE replied in an email to the North State Journal that “We did not ask or receive a grant from Tusk Philanthropies.

“We met with Tusk’s grant team at an election conference in 2019 and they described their grant program to help states or counties that wanted to pilot alternative methods of transmitting electronic voting but did not have funding,” Finney said in response to questions from North. State Journal on the grant. “Since the #1 reason states and counties are still faxing ballots and email attachments is due to a lack of funding, we thought the grant program could be useful.”

Tusk Philanthropies is one of many properties hosted by Tusk Ventures, a New York-based venture capital firm that is one of many Tusk properties.

Tusk was founded in 2011 by Democratic political strategist Bradley Tusk, who was the acting campaign manager for Michael Bloomberg’s successful 2009 mayoral re-election bid. Tusk Philanthropies was run by Sheila Nix, the former head of office of Jill Biden when her husband was vice president under the Obama administration.

Tusk Philanthropies has not yet responded to requests for comment.

The Tusk grant money is similar to cases in several states where money from outside entities poured into electoral systems in 2020, such as grants from the Schwarzenegger Foundation and the Center for Tech and Civic Life ( CTLC) from Facebook.

A North State Journal investigation found that the Schwarzenegger Institute lost nearly $190,000 in the 2020 NC election. Mark Zuckerberg, through CTLC, funneled more than $419 million into 49 states during of the 2020 election cycle. Thirty-five counties in North Carolina have received CLTC funds, and the state as a whole has received more than $5.395 million from the group. The North Carolina State Board of Elections received $1 million of that total.

The General Assembly passed a bill in 2021 to ban outside money in state elections, such as the funds that flowed to North Carolina in 2020, however, Governor Cooper vetoed the measure. In his veto message, Cooper said money received in 2020 from outside entities was ‘necessary for necessities’ and ‘other protective equipment’ related to the pandemic while also defending taking money outside by accusing the legislature of not properly funding state elections.

LIVE AND OMNIBALOT DEMOCRACY

Democracy Live was launched in 2007 and boasts of being “the only cloud-based voting provider”.

The organization’s website says their apps have been “deployed in 4,000 elections, serving more than 10 million voters in 2,500 jurisdictions and 21 states.” The system has apparently been used in the past by the US State Department and Department of Defense personnel.

Additionally, the group’s website claims that due to partnerships with Amazon and Microsoft, “Democracy Live is the largest provider of cloud-based and tablet-based voting technology in the United States.”

The organization is also the creator of “OmniBallota web-based digital voting system used for blank ballot delivery and ballot marking, which also offers an online voting option.

In an email response to the North State Journal, NCSBE’s Brinson Bell confirmed that OmniBallot for North Carolina “mail-in ballot requests, federal postcard request requests through the Federal voting, Absentee Voting Act returns from Uniformed and Overseas Citizens and visually impaired voter returns and samples ballots. Brinson Bell also told the North State Journal “We only use OmniBallot Online, not OmniBallot Tablet.”

As mentioned earlier, OmniBallot has been cited as having numerous security issues according to the Spectre/Halderman 2020 Security Scan.

The analysis states that “Democracy Live, which appears to have no privacy policy, receives personally identifiable sensitive information including voter identity, ballot selections and browser fingerprint that could be used to target political advertising or disinformation campaigns”.

The security report also states: “Even when OmniBallot is used to mark ballots that will be printed and mailed back, the software sends the voter’s identity and voting choices to Democracy Live, a risk of unnecessary security that jeopardizes the secret ballot.”

The analysis concluded that “using OmniBallot to return electronic ballots poses a serious risk to election security” and could allow attackers to alter election results undetected.”

Specter and Halderman reverse-engineered and revealed that Omniballot’s architecture for how they load information onto their servers was problematic.

“The app runs JavaScript loaded from Amazon, Google and CloudFlare, making all three companies (as well as Democracy Live itself) potential election compromise points,” reads text accompanying a graphic on the app. architecture of Omniballot.

Image from “Security Analysis of the Democracy Live Online Voting System” by Michael A. Specter and J. Alex Halderman. June 7, 2020.

Specter and Halderman also discovered that Democracy Live receives each voter’s personal identification information (PII), including party, birthdate, and partial social security numbers, and that the group receives the voter’s fingerprint. each user’s browser, making voters a potential target for bad actors, scams, hacking or the like. problematic activities.

Brinson Bell did not respond to the North State Journal’s question about whether she or her staff were aware of or had read the Spectre/Halderman report on OmniBallot vulnerabilities.

“We have reviewed guidance (marked for official use only) from the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), which provided an overview of the risks,” Brinson Bell wrote. “An online portal was less risky than continuing to rely on email, which can be easily hacked, spammed and prone to malware. The portal also ensures compliance with state and federal laws. »

Additionally, the pair found that ballot selections made by a voter are sent to Democracy Live’s servers even if the voter chooses to print their own ballot.

Democracy Live uses Cloud Flare to replicate its services on overseas-based servers as part of its Content Delivery Network (CDN) services to overseas voters, including military voters. Routing voters through foreign services violates legal protections for US voters.

Finally, CISA has created draft Internet Voting Guidelines that discourage the use of many features found in OmniBallot.

Image from the 2020 “Risk Management for Electronic Ballot Delivery, Marking, and Return” report, produced by the US Cyber ​​and Internet Security Agency.

The guidelines were included in a report titled “Risk Management for the Delivery, Marking and Return of Electronic Ballots.” A search of the CISA website in 2022 did not find this report, however, a copy was uploaded to the Scribd document repository website by The Guardian.

When asked if the Omniballot system had ever undergone a forensic security audit after the 2020 election by the US Cybersecurity and Infrastructure Security Agency (CISA), the US Elections Assistance Commission (EAC) or any other official US entity, Finney told the North State Journal that “We completed a CISA and DHS review in 2020.”

“We recently contacted CISA to schedule another review and are awaiting a response from CISA,” Finney wrote.

In response to questions about whether Omniballot had ever been certified by an official Voting Systems Testing Laboratory (VSTL) for compliance with EAC and NIST standards, Finney said that no entity had a certification program. certification for non-voting tabulation systems.

“The only systems the EAC certifies are tab voting systems. (We asked.) They do not certify voter registration, poll books, election night reporting, or ballot transmission technologies,” Finney wrote. He also said his company applied to the EAC in 2016 and was told that the EAC could not certify systems without tabs.