Cybersecurity experts are warning that Maryland’s online absentee-ballot system is dangerously vulnerable to tampering and privacy invasions, both growing concerns in a year when hackers have breached the Democratic National Committee and attempted to access boards of elections in at least two states.
The system allows voters who request an absentee ballot to access the form online and send back a printed hard copy, with their votes marked by hand or with a new online tool that allows users to mark the document with the click of a mouse or the touch of a keyboard, then print it for mail delivery. Until this year, in large part because of security concerns, the latter option was available only to people with disabilities.
Critics say it is easy for impostors to use stolen credentials to request absentee ballots or for cyberthieves to hack in and retrieve data about who is requesting ballots or details of votes that were marked online.
All registered voters in Maryland are allowed to request an absentee ballot, regardless of whether they will be away from their polling station on Election Day.
With less than six weeks before Election Day, officials say they have taken steps to safeguard their online system, which was required as part of a 2013 law designed to increase voter participation and make voting more accessible. The board voted 4 to 1 on Sept. 14 to certify broad use of the online marking tool.
“The issue of electronic-ballot delivery is resolved,” Nikki Charlson, deputy administrator of the Maryland State Board of Elections, said Thursday. “The General Assembly has made its policy decision, and without a repeal of the statute, it is what it is.”
A group of computer scientists and cybersecurity experts wrote to the board two days before its vote and urged it not to certify the system, saying the setup would “make Maryland one of the most vulnerable states in the U.S. for major election tampering.”
Save Our Votes, a voting-integrity group, says the state board shouldn’t have certified the online marking tool, arguing that Maryland law prohibits the panel from greenlighting any voting program until it can ensure the secrecy of ballots.
“No information transmitted over the internet can be considered private or secure,” the group said in an August letter to the board.
Michael Greenberger, a University of Maryland law professor and director of the school’s Center for Health and Homeland Security, told the board in a letter that any online ballot-delivery system would be “far too vulnerable to hacking by bad actors who seek to compromise the integrity of American elections.”
Charlson said the elections board has implemented numerous safeguards, including software that tries to identify and exploit potential vulnerabilities, regular monitoring for suspicious behavior and the use of best practices for information technology. She said the panel has no plans to take additional action.
During the board’s meeting on Thursday, members met in a private session to discuss the security of the online system but did not share details of that conversation.
Chairman David J. McManus Jr. (R) and Vice Chairman Patrick J. Hogan (D) said that the state had adequately tested the system and that no online program could be completely secure.
“I felt comfortable, based on briefings that we had from our information-technology staff as well as the contractors,” Hogan said. “Based on the continued work that is going on, it’s as secure as it can be. The idea that any system is 100 percent secure — there is no such thing. If you took that attitude, you would never have any system.”
Kelley A. Howells (R), the board member who voted against certification, said she was “worried by some of the writings of people at major universities saying ‘stay away from the Internet.’ ” But she said she feels confident with the work of the board’s information-technology team.
Charlson said that the state had sent out about 10,000 emails to voters who wanted to access absentee ballots as of Thursday and that 4,200 of those accounts had been logged into. Among those users, 2,500 had chosen to mark their ballots by hand, while 1,800 had chosen to use the online tool to mark their ballots.
The 2013 law requires online delivery of absentee ballots for all voters who request the service. It says the state board had to certify that the online ballot-marking system would ensure privacy before deploying it.
After a divided board refused to certify the marking tool in 2014, advocates won a federal court order that required the state to make the option available for the disabled anyway.
The 2016 presidential election will be the first time the state has offered the online ballot-marking system to all absentee voters.
More than 30 states use some form of electronic system for ballot delivery.
Alaska and Washington are the only other states that allow all voters to obtain absentee ballots from personal computers. Unlike Maryland, both of those states use a signature-verification process. Alaska also allows ballots to be submitted online.
“Very little information is required to impersonate a voter and request an online absentee ballot,” Save Our Votes said in its letter.
North Dakota permits electronic ballots for overseas citizens and military members, while Missouri provides them only for members of the military serving abroad.
At least 20 other states and the District will allow certain voters living overseas to return their absentee ballots via email or fax in the upcoming election.
The threat of cyberattacks against electronic-voting systems has caused alarm within the Obama administration. Last month, U.S. Homeland Security Secretary Jeh Johnson said the federal government should consider designating electronic-ballot-casting systems as “critical infrastructure,” meaning that, like the nation’s power grid, they would require enhanced protections.
Very little polling has been conducted on support for online voting systems. But a 2007 ABC-Facebook poll found that 54 percent of respondents opposed allowing people to vote on the Internet even if it could be made secure from fraud, while 67 percent thought it would take many years to make an Internet voting system secure from fraud.
Sari Horwitz and Scott Clement contributed to this report.