Can Our Ballots Be Both Secret and Secure?

By Sue Halpern is a staff writer at The New Yorker. She is the author of, most recently, the novel “Summer Hours at the Robbers Library.”

Near the end of last year, I met Josh Benaloh, a senior cryptographer at Microsoft, in a conference room in Building 99 on the company’s sprawling campus, in Redmond, Washington, to talk about a fundamental problem with American elections. When we vote, we take it on faith that our ballots have been recorded—and recorded correctly. This is not always the case. In 2015, in Shelby County, Tennessee, hundreds of votes that were cast in predominantly African-American precincts disappeared somewhere between the polling place and the final tally. Where they had gone, and why, remains a mystery, because the ballots were cast on a touch-screen voting machine that did not provide a paper record. In 2018, three thousand votes went missing during a Florida recount. The next year, eight hundred uncounted ballots were found in a storage closet in Midland, Texas, after a hotly contested school-bond vote. To prevent these types of errors, Benaloh said, “You could, in theory, sign your name on your ballot and watch it go through the system.” In actual elections, however, that is precisely what is not supposed to happen. Our ballots are secret; after we drop them in the ballot box, they are, literally, out of our hands.

We don’t publish everyone’s name next to their candidate selections because, Benaloh said, “if we do that, we’ll also be opening up everyone to coercion and vote selling.” Both were features of American democracy well into the late nineteenth century, as voters revealed their choices in public—polling often took place during carnivals and festivals—either by voice or by dropping color-coded tickets, printed by each party, into a ballot box. By 1888, corruption had become so widespread that states began to abandon the spectacle. Voters in Massachusetts, following the examples of Australia and Britain, were the first in the U.S. to register their choices in a private space, on uniform ballots printed at public expense.

Since 2018, as part of a program called Defending Democracy, Benaloh has been working on voting software that attempts to solve the problem of trust in secret-ballot elections. At Microsoft, he is both a researcher and an internal consultant, using what he learns in his theoretical investigations to help the company develop secure products. His election software is based on a mathematical process that he invented called homomorphic encryption. Standard encryption obscures information behind unintelligible strings of letters and numbers; homomorphic encryption enables those unintelligible strings to be added together while still remaining behind the veil. Applied to elections, this technology could allow ballots to be aggregated, tallied, and verified without the individual votes having to be decrypted. If it worked, voters could check that their choices had been accurately counted, without anyone else ever seeing them.

At sixty years old, Benaloh is still boyish, with a stubbly beard and curly hair that is just beginning to gray. When he began thinking about how encryption might improve voting, as an undergraduate at the Massachusetts Institute of Technology, he had no sense that anything was wrong with the electoral system. “I didn’t really know a lot about elections,” Benaloh said. “I was a geeky kid growing up in New York who loved numbers, and elections were the time when everyone else was looking at numbers all day.” This was back when his surname was Cohen, before he married his wife, Laurie Blake, who was then a math teacher, and they scrambled the letters of their last names together. (“ ‘Ben’ sort of from the Latin prefix ‘benefactor,’ ” he told me, “and ‘aloh’ for the Hawaiian greeting ‘aloha.’ ”) While taking a class on cryptography, he started to see voting as a powerful way to show that the mathematical tools he was developing could be used to create a ballot that was transparent and private, and that the accuracy of elections could be verified from start to finish.

In 1987, after successfully defending his doctoral dissertation, titled “Verifiable Secret-Ballot Elections,” at Yale, Benaloh moved to Toronto, for a three-year postdoc appointment, and then to upstate New York, to teach computer science at Clarkson University. He continued to refine the math for end-to-end verifiable elections. This included an effort to figure out how to apply his research to voting by mail, which he is still attempting to do, but with more urgency, in the face of the COVID-19 pandemic. (“I’m getting close,” he told me recently.) He also settled on a method that would give voters a simple way to test the integrity of the process: they could “spoil” ballots. Unlike cast ballots, spoiled ballots would be decrypted, and anyone could check whether the choices they had made on those ballots were the ones revealed by the decryption. In 2012, Benaloh put his ideas into practice, as one of seven researchers tapped by the clerk of Travis County, Texas, to create an actual voting system from the ground up. “We were trying to design something that achieved the mathematical needs of end-to-end verifiability in a way that their voters could interact with,” he said. But STAR-Vote, as the system was called, never made it off the page and into the polling place.

In 2016, after it became clear that Russian intelligence was probing state election systems, Benaloh took part in an extensive investigation conducted by the National Academies of Sciences, Engineering, and Medicine to determine the best ways to enhance the integrity of American elections. Its September, 2018, report, “Securing the Vote: Protecting American Democracy,” offered forty-one suggestions for making voting more secure, including adding end-to-end verifiability. By then, Microsoft had witnessed attacks on the electoral system firsthand. The company had provided cybersecurity services for both parties’ conventions in the previous election cycle; in July, 2016, during the Democratic National Convention, Microsoft’s threat-intelligence team noticed that a nation-state actor, later traced to Russian intelligence, was registering fake Microsoft domain names. Not long afterward, the team saw the same thing happening during the French and European Union elections. Fake domains are often the bait for phishing expeditions, and Russian hackers were initially targeting academics and consultants likely to be involved in key issues of a campaign. “If you’ve infiltrated an academic who is going to be an adviser to the Presidential campaign, now it’s easier to hack into the Presidential campaign,” Tom Burt, the company’s vice-president for customer security and trust, told me. “That person sends an e-mail saying ‘look at this really cool document,’ and they click on it and they’re infected.”

In 2018, Microsoft created the Defending Democracy program, which offered political campaigns a service called AccountGuard. The company trained campaign staff on basic cyber hygiene and monitored their accounts for malicious activity. (AccountGuard is now offered to nonprofits, academics, and political consultants in twenty-nine countries.) The program reached out to Benaloh to ask about the possibility of using the kinds of mathematical tools he’d been developing to create a verifiable voting system. “Josh had been thinking about this for a long time, but nobody had made the investment to do it,” Burt told me. “It was going to be expensive, but it was something we could invest in, and I was willing to take a risk.” (Burt, a rugged, silver-haired veteran of corporate law, would only tell me that the cost was “in the seven-figure range.”)

Benaloh began to conceive what an end-to-end encrypted ballot-system toolkit would look like. It would be a piece of software—an add-on to voting machines or scanners, not the hardware itself. It would also be system-agnostic, able to work alongside most kinds of voting apparatuses, whether digital or analog. As Benaloh told Congress last June, with an end-to-end verifiable election system, “voters will have the ability to use their unique tracking codes to look up their encrypted votes and confirm that they are unaltered and correctly counted.” Election officials, meanwhile, he said, “will be able to publish C.V.R.S.”—cast-vote records—“without releasing sensitive raw election data that can be abused by malicious actors.”