Every election year, millions of Americans are eligible to cast their ballots to elect officials ranging from members of school boards to the President of the United States. Those millions of voters need to be confident that the democratic process is carried out without interference.
However, in recent years, technology designed to help elections run smoothly has been targeted by those seeking to influence, subvert or sabotage democracy.
[Read more: Another step in testing ElectionGuard]
What does ElectionGuard do?
ElectionGuard is a way of checking election results are accurate, and that votes have not been altered, suppressed or tampered with in any way. Individual voters can see that their vote has been accurately recorded, and their choice has been correctly added to the final tally. Anyone who wishes to monitor the election can check all votes have been correctly tallied to produce an accurate and fair result.
Why do we need it?
There is overwhelming evidence that attempts have been made to target digital election infrastructure. For example, during the 2016 U.S. presidential election, actors sponsored by the Russian state infiltrated voter registration databases as part of a wider campaign of election interference. Fortunately, there is no evidence of any successful tampering with actual votes.
But, as Josh Benaloh, Senior Principal Cryptographer at Microsoft Research, explains, vote casting and tabulation systems are extremely vulnerable. “The challenge is asymmetric. In the U.S., elections are run locally – mostly by counties, sometimes even by townships – yet the attackers can be nation states. It’s simply not reasonable to expect a small county government can withstand an attack from a nation-state attacker.”
How does it work?
Because attacks cannot always be prevented, it is vital that they are detected, so that voters know if the result can be trusted. That requires stringent auditing.
Election monitors carry out spot checks on individual ballots in what is known as risk-limiting audits. But ElectionGuard allows for a much more comprehensive – and public – audit, by providing end-to-end verifiability.
Each vote is encrypted and given a unique identifier. The voter is given a tracking code that lets them check that their vote goes through the system unchanged and ends up in the final tally.
Not every voter needs to track their ballot to ensure the system maintains its integrity. In fact, if just 1% of voters nationally check that their ballots are correctly encrypted and tallied, it would be almost impossible for anyone to tamper with more than 100 votes out of 100 million without being caught.
At the same time, the way the encrypted votes are tallied can be checked by anyone to make sure that each candidate gets the correct number of votes.
Will anyone be able to see who I have voted for?
No. The principle of secret ballots means that not only should each person’s vote be private, it must be private, so that votes cannot be bought, sold or coerced.
ElectionGuard uses something called homomorphic encryption to ensure that nobody can tell how a person voted. In fact, even the voter cannot use the tracking code to prove to anyone else how they voted – they will only be able to prove that their vote wasn’t changed.
It is also possible to add up encrypted data so that only the final tally can be decrypted. This means that people can check the final tallies without seeing any information about the individual votes.
Will it change the way elections have to be run?
No. ElectionGuard is designed to work with current voting systems, and Microsoft has been working alongside manufacturers and vendors to incorporate it into existing infrastructure (although it won’t be available for the Presidential election in November, and won’t be widely deployed for some time). Paper ballots can be scanned and voting machines used as they are now. The only difference voters will see is the unique tracking code they are given at the end, which they can choose to use or throw in the trash.
Spot checks and administrative audits can be carried out by the members of the existing canvassing boards who currently decide on whether ballots are eligible or spoiled, with built-in safeguards to make sure no individual can either disrupt or influence the verification process.
How can we trust it?
The fundamental principle behind ElectionGuard is that it gives the power to check whether elections are valid to individuals. Every single voter has the ability to verify their own vote – most likely on public websites set up by election boards or local authorities. And anyone can use a verification program to check the final tallies.
Nobody has to just take Microsoft’s word for it – or anyone else’s for that matter. ElectionGuard is a set of open source software components that can be accessed here. Anyone with the programming skills can create their own verification tool. In practice, this means every political party, candidate, news organization or pressure group can run their own checks and make their preferred program publicly available for others.
The first pilot has already been successfully carried out in an election in Fulton, Wisconsin.
Is this just a way of Microsoft making money off elections?
ElectionGuard is not a for-profit enterprise, and Microsoft will make no money from it. The technology is being developed and piloted with multiple stakeholders, and is freely available to anyone who wishes to use it, whether in the U.S. or in democracies around the world.