SC is using new internet-based tech to vote. It’s vulnerable to hacking, experts say

This year, South Carolina welcomed into its arsenal of election technology two systems that connect to the internet — one of the features that makes them vulnerable to hacking, voting experts say.


Load Error

Both the state’s new electronic poll book system and a new online platform called OmniBallot, made to help a small group of S.C. voters stationed overseas send their ballots home, rely on internet access.

Members of some military and government service groups, their families along with citizens outside the United States registered to vote in South Carolina had access to the new OmniBallot system when voting this year. In 2016, the group — classified as “UOCAVA citizens” after the Uniformed and Overseas Citizens Absentee Voting Act that grants them special voting privileges — cast 8,621 ballots, said Chris Whitmire, a spokesperson for the State Election Commission (SEC).

Before OmniBallot, the UOCAVA citizens were allowed to send their ballots by fax, email or mail. Those legacy options were still available to them during the 2020 presidential election.

But now, when using the platform, voters can download their unique ballots by accessing a single URL online, the website of the private company that makes the product, Democracy Live, states. The system is accessible to people with disabilities and is secure, it says.

“We’ve had over 100 cybersecurity researchers review the system, they haven’t been able to get in the system or compromise it,” confirmed Bryan Finney, the founder and president of Democracy Live.

Yet in June, a final-year PhD candidate at MIT and a professor of computer science and engineering at the University of Michigan analyzed the OmniBallot platform and found it wanting.

“We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device,” wrote the researchers. “In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information — including the voter’s identity, ballot selections, and browser fingerprint — that could be used to target political ads or disinformation campaigns.”