As President Donald Trump had steadily said he believes his good friend Vladimir Putin that Russia never interfered with our 2016 elections, the Pentagon and FBI have warned about their meddling in our 2020 elections. Nothing is being done to protect our election systems, so it’s fallen on private companies like Microsoft to step up and help protect our democracy.
Microsoft has announced an ambitious effort to make voting secure, verifiable and subject to reliable audits by registering ballots in encrypted form so they can be accurately and independently tracked long after they are cast.
Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their voting systems.
The software is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon’s advanced research agency, DARPA. Dubbed “ElectionGuard,” it will be available this summer, Microsoft says, with early prototypes ready to pilot for next year’s U.S. general elections.
CEO Satya Nadella announced the initiative Monday at a developer’s conference in Seattle, saying the software development kit would help “modernize all of the election infrastructure everywhere in the world.”
Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems.
Open-source software is inherently more secure because the underlying code is easily scrutinized by outside experts but has been shunned by the dominant vendors whose customers — the nation’s 10,000 election jurisdictions — are mostly strapped for cash.
None offered bids when Travis County, Texas, home to Austin, sought to build a system with the “end-to-end” verification attributes that ElectionGuard promises to deliver.
Two of the leading vendors, Election Systems & Software of Omaha, Nebraska, and Hart InterCivic of Austin, Texas, both expressed interest in partnering with Microsoft for ElectionGuard. A spokeswoman for a third vendor, Dominion Voting Systems of Denver, said the company looks forward to “learning more” about the initiative.
Anyone with an existing voting system or developing a new one will be able to incorporate ElectionGuard — at the state or local level in the U.S. or national level for jurisdictions abroad.
“Once the barrier to entry is low enough, hopefully one of the vendors will go for it, and that will bring the rest of them in quickly enough,” said Dan Wallach, a Rice University computer scientist who assisted Travis County.
“It can be used with a ballot-marking device. It can be used with an optical scanner, on hand-marked paper ballots,” said Josh Benaloh, a senior cryptographer at Microsoft Research and key contributor to the ElectionGuard project. Benaloh helped produce a National Academies of Science report last year that called for an urgent overhaul of the rickety U.S. election system, which Russian hackers infiltrated in 2016 in several states.
That report called for all U.S. elections to be held on human-readable paper ballots by 2020. It also advocated a specific form of routine postelection audits to ensure accurate vote counts — a requirement that “end-to-end’ voting verification satisfies.
Election integrity activist Susan Greenhalgh of the National Election Defense Coalition said she hoped it would encourage innovative thinking at the level elections are actually managed.
“We can’t have faith-based voting anymore,” she said. “This is a great step forward in verifying election results.”
ElectionGuard will let voters confirm that their votes are accurately recorded. Beyond that, the unique coded tracker it produces registers an encrypted version of the vote that keeps the ballot choice itself secret while ensuring votes are accurately counted.
That enables reliable postelection audits and recounts.
It also lets outsiders such as election watchdog groups, political parties, journalists — and voters themselves — verify online that votes are properly counted without being altered.
Microsoft executives say they also plan to build a prototype voting system for reference.
One election official who has been in informal conversations with the ElectionGuard project leaders is Dean Logan, who runs elections for Los Angeles County, the nation’s most populous, and is building an open-source voting system for it.
A spinoff of Galois called Free & Fair developed the sophisticated postelection audits , known as “risk-limiting,” for Colorado, which was the first U.S. state to require the audits recommended in the National Academies of Sciences report.
ElectionGuard is not designed to work with internet voting schemes — which experts consider too easily hackable — and does not currently work with vote-by-mail systems.
ES&S told media outlets that it was excited to partner with Microsoft and “still exploring the potentials” for incorporated the software kit its voting systems.
Hart InterCivic, the No. 3 vendor, said it planned a pilot project with Microsoft to “incorporate ElectionGuard functionality as an additional feature” layered over its core platform.
A spokeswoman for Dominion, the No. 2 vendor, said “We are very interested in learning more about the initiative and being able to review the various prototypes that are being planned, along with hearing more about other federally-supported efforts in the elections space.”
Edgardo Cortés, a former Virginia elections commissioner now with New York University’s Brennan Center, welcomed additional private sector support for election systems.
“I think it’ll take a while to catch on and see how beneficial (ElectionGuard) ends up being,” he said. “But I think it certainly does have a great deal of potential.”
Columbia University will be partnering with Microsoft to audit the pilots.
Microsoft’s Protecting Elections In America Announcement
Today, at the Microsoft Build developer conference, CEO Satya Nadella announced ElectionGuard, a free open-source software development kit (SDK) from our Defending Democracy Program. ElectionGuard will make voting secure, more accessible, and more efficient anywhere it’s used in the United States or in democratic nations around the world. ElectionGuard, developed with the assistance of our partner Galois, will be available starting this summer to election officials and election technology suppliers who can incorporate the technology into voting systems. Among ElectionGuard’s many benefits, it will enable end-to-end verification of elections, open results to third-party organizations for secure validation, and allow individual voters to confirm their votes were correctly counted.
We are also announcing today that we have partnered with major election technology suppliers who are exploring the integration of ElectionGuard into their voting systems. We currently have partnerships with election technology suppliers responsible for more than half of the voting machines sold in the U.S. To help these partners, other vendors and election officials to visualize how ElectionGuard can modernize and secure the vote, we are building a reference voting system, which we will make public later this year, that will showcase the capabilities that ElectionGuard enables.
We believe technology companies have a responsibility to help protect our democratic processes and institutions. Modern technology can be used to ensure the voting process is resilient. At the same time, ElectionGuard is not intended to replace paper ballots but rather to supplement and improve systems that rely on them, and it is not designed to support internet voting. In short, ElectionGuard is a new tool for use by the existing election community and government entities that run elections.
ElectionGuard can be used to build systems with five major benefits that will protect the vote against tampering by anyone, and improve the voting process for citizens and officials:
Verifiable: Allowing voters and third-party organizations to verify election results.
Secure: Built with advanced encryption techniques developed by Microsoft Research.
Auditable: Supporting risk-limiting audits that help assure the accuracy of elections.
Open source: Free and flexible with the ability to be used with off-the-shelf hardware.
Make voting better: Supporting standard accessibility tools and improving the voting experience.
ElectionGuard democratizes the ability to verify election results by enabling direct public confirmation of the accuracy of those results. Voters are able to verify the correct recording of their votes, and anyone – including voters themselves – can verify that all of the recorded votes are correctly counted. As with current election systems, voters will remain unable to disclose their recorded votes to protect their privacy.
ElectionGuard verification is accomplished in two ways.
First, ElectionGuard provides each voter a tracker with a unique code that can be used to follow an encrypted version of the vote through the entire election process via a web portal provided by election authorities. During the process of vote-casting, voters have an optional step that allows them to confirm that their trackers and encrypted votes accurately reflect their selections. But once a vote is cast, neither the tracker nor any data provided through the web portal can be used to reveal the contents of the vote. After the election is complete, the tracker codes can be used by voters to confirm that their votes were not altered or tampered with and that they were properly counted.
Second, ElectionGuard also includes an open specification – or a road map – which allows anyone to write an election verifier. Voters, candidates, news media and any observers can run verifiers of their own or downloaded from sources of their choosing to confirm tabulations are as reported. The combination of the tracker – which allows individual voters to verify that their votes have been accurately recorded – and the verifier – which allows anyone to verify that the recorded votes have been accurately counted – enables full “end-to-end verification” of the correctness of election results. It will not be possible to “hack” the vote without detection.
ElectionGuard provides a complete implementation of end-to-end verifiable elections. It is designed to work with systems that use paper ballots, supplementing today’s tabulation process by providing a means of public verification of the accuracy of reported results.
To enable these two forms of verification, ElectionGuard uses something called homomorphic encryption – which enables mathematical procedures – like counting – to be done with fully encrypted data. The use of homomorphic encryption in election systems has been pioneered by Microsoft Research under the leadership of Senior Cryptographer Josh Benaloh. With homomorphic encryption, individually encrypted votes can be combined to form an encrypted tabulation of all votes which can then be decrypted to produce an election tally that protects voter privacy. By running an open election verifier, anyone can securely confirm that the encrypted votes have been correctly aggregated and that this encrypted tabulation has been correctly decrypted to produce the final tally. This process allows anyone to verify the correct counting of votes by inspecting the public election record, while keeping voting records secure. The use of homomorphic encryption to enable verification is separate from and in addition to the process of paper ballots counted as an official election tally.
Auditing the outcomes of elections further helps increase public confidence in the outcome as well as improving operational performance of elections. In addition to the public verification enabled by ElectionGuard, the SDK explicitly supports an enhanced form of statistical administrative auditing. Efficient risk-limiting audits are conducted by election officials with the aid of an electronic record of every ballot cast in an election. In this process, ballot records are selected at random and then compared against corresponding paper ballots to confirm that they match. By individually comparing paper against corresponding electronic records, high confidence in an election result can be achieved by examining far fewer ballots than would be necessary by traditional means. The process used by ElectionGuard allows these efficient risk-limiting audits to be publicly observable and verifiable without publishing the full set of electronic vote records.
The ElectionGuard SDK, as well as components of the reference voting system we’re building, will be released under the MIT Open Source License and made available on GitHub. Microsoft is offering this software to the election industry free of charge and with the intent of election technology vendors adopting components as they see fit. The SDK is designed to be used stand-alone or easily integrated as part of a vendor’s larger system. Because it’s open source, ElectionGuard can be used not just on devices running Windows but on off-the-shelf devices from other major technology companies as well as custom hardware designed by election technology suppliers. We believe this will enable ElectionGuard to be deployed in a variety of ways.
Make voting better
Microsoft’s mission is to empower every person on the planet to achieve more, and that commitment extends to those with disabilities who want to exercise their right to vote. Disability advocates we speak with want primary voting systems that are more accessible. The reference voting system we are building will demonstrate how ElectionGuard can be combined with readily available devices to build accessibility into the primary systems everyone uses.
We also wanted to make the whole voting experience easier and more modern for everyone and spent significant time thinking about the challenges people face on election day. One frustration is the difficulty of doing research on candidates and initiatives at the polling place. Our sample reference will showcase how people can make their selections at home, where they can easily research their choices, then bring a QR code to the polling place to scan and pre-populate their ballot.
When it’s time to vote, ElectionGuard supports the use of standard tablets and PCs running a variety of operating systems as a ballot marking device, which can be used to create an interface that looks and feels like modern applications people interact with every day on their phones and tablets. After people make their choices, their selections can be printed on a physical sheet of paper that they can review for accuracy and place in the ballot box as the official record of their vote.
Finally, voters will receive trackers that confirm their votes and can be used to verify that their votes were counted correctly after an election. ElectionGuard can also be used to enable optional scenarios for people to share on social media the fact that they voted, serving as a virtual “I voted” sticker encouraging others to participate in the democratic process.
We are working with a range of election technology suppliers who are excited to explore incorporating ElectionGuard into their current offerings or build new product lines incorporating the technology. These partnerships represent organizations that supply more than half of the voting systems used in the United States today including Democracy Live, Election Systems & Software, Hart InterCivic, BPro, MicroVote, and VotingWorks. We will continue to work with these partners, and any other interested vendors, over the coming months as they evaluate ElectionGuard. The early feedback has been exciting.
The code for ElectionGuard is being built together with our development partner, Galois. We are excited that Galois recently received $10 million in funding from DARPA to build a demonstration voting system to help evaluate secure hardware DARPA researchers are developing as part of a separate DARPA program. The agency views ensuring the integrity and security of the election process as a critical national security concern and plans to implement the ElectionGuard SDK as part of their effort to enable an end-to-end verifiable component in future versions of their demonstration voting system. It is encouraging to see DARPA investing in technology, which will not only find an application in securing the voting process but could contribute to more secure and transparent computing for a variety of devices and applications.
We are also pleased to announce a partnership with Columbia University’s Columbia World Projects. Columbia professors in statistics, political science, computer science, and international and public affairs and Microsoft will be joining forces to bring ElectionGuard to life by piloting the technology in the coming election cycle.
The ElectionGuard SDK will be available through GitHub beginning this summer. We encourage the election technology community to begin building offerings based on this technology and expect early prototypes using ElectionGuard will be ready for piloting during the 2020 elections in the United States, with significant deployments for subsequent election cycles. Over time we will seek to update and improve the SDK to support additional voting scenarios such as mail-in ballots and ranked choice voting. Microsoft will not charge for using ElectionGuard and will not profit from partnering with election technology suppliers that incorporate it into their products.