{"id":115224,"date":"2020-07-08T16:22:13","date_gmt":"2020-07-08T16:22:13","guid":{"rendered":"https:\/\/news.microsoft.com\/?p=438203"},"modified":"2020-07-08T16:22:13","modified_gmt":"2020-07-08T16:22:13","slug":"the-new-yorker-can-our-ballots-be-both-secret-and-secure","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2020\/07\/08\/the-new-yorker-can-our-ballots-be-both-secret-and-secure\/","title":{"rendered":"The New Yorker: Can our ballots be both secret and secure?"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2020\/07\/the-new-yorker-can-our-ballots-be-both-secret-and-secure.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"has-dropcap has-dropcap__lead-standard-heading\">Near the end of last year, I met Josh Benaloh, a senior cryptographer at Microsoft, in a conference room in Building 99 on the company\u2019s sprawling campus, in Redmond, Washington, to talk about a fundamental problem with American <a href=\"https:\/\/www.newyorker.com\/tag\/elections\">elections<\/a>. When we vote, we take it on faith that our ballots have been recorded\u2014and recorded correctly. This is not always the case. In 2015, in Shelby County, Tennessee, hundreds of votes that were cast in predominantly African-American precincts disappeared somewhere between the polling place and the final tally. Where they had gone, and why, remains a mystery, because the ballots were cast on a touch-screen voting machine that did not provide a paper record. In 2018, three thousand votes went missing during a Florida recount. The next year, eight hundred uncounted ballots were found in a storage closet in Midland, Texas, after a hotly contested school-bond vote. To prevent these types of errors, Benaloh said, \u201cYou could, in theory, sign your name on your ballot and watch it go through the system.\u201d In actual elections, however, that is precisely what is not supposed to happen. Our ballots are secret; after we drop them in the ballot box, they are, literally, out of our hands.<\/p>\n<p>We don\u2019t publish everyone\u2019s name next to their candidate selections because, Benaloh said, \u201cif we do that, we\u2019ll also be opening up everyone to coercion and vote selling.\u201d Both were features of American democracy well into the late nineteenth century, as voters revealed their choices in public\u2014polling often took place during carnivals and festivals\u2014either by voice or by dropping color-coded tickets, printed by each party, into a ballot box. By 1888, corruption had become so widespread that states began to abandon the spectacle. Voters in Massachusetts, following the examples of Australia and Britain, were the first in the U.S. to register their choices in a private space, on uniform ballots printed at public expense.<\/p>\n<p>Since 2018, as part of a program called Defending Democracy, Benaloh has been working on voting software that attempts to solve the problem of trust in secret-ballot elections. At Microsoft, he is both a researcher and an internal consultant, using what he learns in his theoretical investigations to help the company develop secure products. His election software is based on a mathematical process that he invented called homomorphic encryption. Standard encryption obscures information behind unintelligible strings of letters and numbers; homomorphic encryption enables those unintelligible strings to be added together while still remaining behind the veil. Applied to elections, this technology could allow ballots to be aggregated, tallied, and verified without the individual votes having to be decrypted. If it worked, voters could check that their choices had been accurately counted, without anyone else ever seeing them.<\/p>\n<p>At sixty years old, Benaloh is still boyish, with a stubbly beard and curly hair that is just beginning to gray. When he began thinking about how encryption might improve voting, as an undergraduate at the Massachusetts Institute of Technology, he had no sense that anything was wrong with the electoral system. \u201cI didn\u2019t really know a lot about elections,\u201d Benaloh said. \u201cI was a geeky kid growing up in New York who loved numbers, and elections were the time when everyone else was looking at numbers all day.\u201d This was back when his surname was Cohen, before he married his wife, Laurie Blake, who was then a math teacher, and they scrambled the letters of their last names together. (\u201c \u2018Ben\u2019 sort of from the Latin prefix \u2018benefactor,\u2019 \u201d he told me, \u201cand \u2018aloh\u2019 for the Hawaiian greeting \u2018aloha.\u2019 \u201d) While taking a class on cryptography, he started to see voting as a powerful way to show that the mathematical tools he was developing could be used to create a ballot that was transparent and private, and that the accuracy of elections could be verified from start to finish.<\/p>\n<p>In 1987, after successfully defending his doctoral dissertation, titled \u201cVerifiable Secret-Ballot Elections,\u201d at Yale, Benaloh moved to Toronto, for a three-year postdoc appointment, and then to upstate New York, to teach computer science at Clarkson University. He continued to refine the math for end-to-end verifiable elections. This included an effort to figure out how to apply his research to voting by mail, which he is still attempting to do, but with more urgency, in the face of the <a href=\"https:\/\/www.newyorker.com\/tag\/coronavirus\"><em class=\"small\">COVID<\/em>-19<\/a> pandemic. (\u201cI\u2019m getting close,\u201d he told me recently.) He also settled on a method that would give voters a simple way to test the integrity of the process: they could \u201cspoil\u201d ballots. Unlike cast ballots, spoiled ballots would be decrypted, and anyone could check whether the choices they had made on those ballots were the ones revealed by the decryption. In 2012, Benaloh put his ideas into practice, as one of seven researchers tapped by the clerk of Travis County, Texas, to create an actual voting system from the ground up. \u201cWe were trying to design something that achieved the mathematical needs of end-to-end verifiability in a way that their voters could interact with,\u201d he said. But <em class=\"small\">STAR<\/em>-Vote, as the system was called, never made it off the page and into the polling place.<\/p>\n<p>In 2016, after it became clear that Russian intelligence was probing state election systems, Benaloh took part in an extensive investigation conducted by the National Academies of Sciences, Engineering, and Medicine to determine the best ways to enhance the integrity of American elections. Its September, 2018, report, \u201c<a class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.nap.edu\/catalog\/25120\/securing-the-vote-protecting-american-democracy&quot;}\" href=\"https:\/\/www.nap.edu\/catalog\/25120\/securing-the-vote-protecting-american-democracy\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">Securing the Vote: Protecting American Democracy<\/a>,\u201d offered forty-one suggestions for making voting more secure, including adding end-to-end verifiability. By then, Microsoft had witnessed attacks on the electoral system firsthand. The company had provided <a href=\"https:\/\/www.newyorker.com\/tag\/cybersecurity\">cybersecurity<\/a> services for both parties\u2019 conventions in the previous election cycle; in July, 2016, during the Democratic National Convention, Microsoft\u2019s threat-intelligence team noticed that a nation-state actor, later traced to Russian intelligence, was registering fake Microsoft domain names. Not long afterward, the team saw the same thing happening during the French and European Union elections. Fake domains are often the bait for phishing expeditions, and Russian hackers were initially targeting academics and consultants likely to be involved in key issues of a campaign. \u201cIf you\u2019ve infiltrated an academic who is going to be an adviser to the Presidential campaign, now it\u2019s easier to hack into the Presidential campaign,\u201d Tom Burt, the company\u2019s vice-president for customer security and trust, told me. \u201cThat person sends an e-mail saying \u2018look at this really cool document,\u2019 and they click on it and they\u2019re infected.\u201d<\/p>\n<p>In 2018, Microsoft created the Defending Democracy program, which offered political campaigns a service called AccountGuard. The company trained campaign staff on basic cyber hygiene and monitored their accounts for malicious activity. (AccountGuard is now offered to nonprofits, academics, and political consultants in twenty-nine countries.) The program reached out to Benaloh to ask about the possibility of using the kinds of mathematical tools he\u2019d been developing to create a verifiable voting system. \u201cJosh had been thinking about this for a long time, but nobody had made the investment to do it,\u201d Burt told me. \u201cIt was going to be expensive, but it was something we could invest in, and I was willing to take a risk.\u201d (Burt, a rugged, silver-haired veteran of corporate law, would only tell me that the cost was \u201cin the seven-figure range.\u201d)<\/p>\n<p>Benaloh began to conceive what an end-to-end encrypted ballot-system toolkit would look like. It would be a piece of software\u2014an add-on to voting machines or scanners, not the hardware itself. It would also be system-agnostic, able to work alongside most kinds of voting apparatuses, whether digital or analog. As Benaloh told Congress last June, with an end-to-end verifiable election system, \u201cvoters will have the ability to use their unique tracking codes to look up their encrypted votes and confirm that they are unaltered and correctly counted.\u201d Election officials, meanwhile, he said, \u201cwill be able to publish C.V.R.S.\u201d\u2014cast-vote records\u2014\u201cwithout releasing sensitive raw election data that can be abused by malicious actors.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Near the end of last year, I met Josh Benaloh, a senior cryptographer at Microsoft, in a conference room in Building 99 on the company\u2019s sprawling campus, in Redmond, Washington, to talk about a fundamental problem with American elections. When we vote, we take it on faith that our ballots have been recorded\u2014and recorded correctly. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":115225,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[713,50],"class_list":["post-115224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-news","tag-electionguard","tag-recent-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/115224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=115224"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/115224\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/115225"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=115224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=115224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=115224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}