Already voted error

[Billy Davidson]

I have a currently open election.  We've been using OpaVote since 2020,  but suddenly this time I have 3 reports out of under 100 votes cast that they recieved an "already voted message" after they had filled out the ballot when pressing the final vote button, not when they clicked the email link.  The screenshot I was sent also doesn't match the message I get when I re-click the email link.  I'm wondering if there's some new prefetch going on that's causing an issue, or a network roaming issue, or even an accidental double click happening.  The particular user with the screenshot below had a vote registered at 4:50, while you can see 4:52 on the screenshot.  This was also an apple phone, I had another report from an android device.

[Michael “Mike” Chen]

I have at least 3 people who also reported this on an election that I ran.

[Zee Spencer]

Hey folks!

Thank you so much for letting us know. We've been investigating this and have been unable to reproduce and isolate it. Are you available to email te...@opavote.com so we can get more information for debugging?

From what we have noticed, this bug only appears in contests where voters are allowed to select no candidates. In each case, it results in a blank ballot for the voter. Currently, we have two workarounds:

1.  Require choosing a candidate to submit the vote. (Note: This may not be advisable in every situation)
2. Provide a code ballot to voters who are being told they already voted when they have not.

While neither of these are ideal, this should allow elections to proceed and collect valid ballots from every voter.

We apologize for the inconvenience, and are working to remediate this issue with utmost haste.

- Zee

[Ana Ulin]

Hi folks!

We've determined the cause of these errors.

We see in our application logs that, for some users, an automated process opens the voting link at the same time as the voter does, and then submits the empty voting form before the legitimate voter does. By the time the voter submits their ballot, the empty ballot from the bot has already been recorded, and the voter gets the "already voted" error. This is happening consistently for all the examples of the error that we have individually analyzed.

We don't think this is malicious activity. It appears some email clients are going beyond link prefetching to speed up page load when a user visits a link from an email, and are now doing more active crawling of and interacting with links in order to determine if they are malicious, and they are now going as far as automatically submitting forms. It is difficult to find any conclusive information on how, when or why some email clients are doing this (it makes sense, if this is meant as a security protection, they are playing cat-and-mouse with malicious actors and don't want to disclose their methods). There are some references to these behaviors in GMail documentation, user forums, and Stack Overflow.

We can't control this behavior, as it happens outside of OpaVote, and we have no reliable way to distinguish one of these bots from a legitimate voter. Instead, we are working on an improvement to our Vote page, which will require voters to take an additional action to confirm that they indeed want to submit a fully empty ballot. This will make it harder for legitimate voters to accidentally submit empty ballots, and should prevent automated systems from submitting empty ballots on behalf of users.

We hope to have this fix available before the end of this week.

In the meantime, if you want to run an election and avoid this problem, we suggest having at least one contest where you don't allow an empty vote -- that way fully empty votes will not be accepted for your election, and users will have to actively interact with the ballot before submitting it.

For the computer folks out there, if you're curious, this is what this behavior looks like in our logs:

-- Ana

Team OpaVote

--
You received this message because you are subscribed to the Google Groups "OpaVote Support Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opavote-suppo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/opavote-support/d513ff53-e1c6-483f-94c9-23647c69c94dn%40googlegroups.com.

[Ana Ulin]

Hi again,

We deployed a change on Friday (Aug 29th) to require users to check a box to confirm that they indeed want to cast an empty ballot. We haven't seen the "already cast vote" error happening since this change went out, so we're hopeful that this confirmation box makes it harder for bots to submit empty ballots on behalf of voters. And of course it makes it harder for voters themselves to accidentally submit an empty ballot!

As always, let us know if you see any other issues or have any questions. You can also reach out to us at te...@opavote.com for individualized support.

-- Ana

Team OpaVote