In the winter of 2017, shortly after STAR-Vote was declared a loss, Josh Benaloh was sitting in his office at Microsoft when he received an email from unusually high up in the chain of command. A team from the company’s Legal and Policy Division wanted Benaloh’s advice on a sensitive idea, which hadn’t been made public yet.
Benaloh worked at Microsoft Research, the corporate Goliath’s private Darpa. There he could quietly tend the flame of his interest in elections, but mostly he worked on other problems. Every once in a while, he’d pitch his superiors on cryptography and voting, but got little interest. Eventually, he understood why. “There’s no way that it makes sense for Microsoft to make a business out of elections,” Benaloh explains. “Elections are a tiny business. Microsoft is a mass-market software company.” Nor had Benaloh’s pathfinding work on STAR-Vote attracted anything more than a cursory thumbs-up as one of a million interesting things going on in a place like Microsoft.
Then, all at once, something happened that completely reoriented Microsoft’s stance. “What happened,” Benaloh says, “was 2016.”
As the scope and fallout of Russia’s meddling in the presidential election became clear, Microsoft had quietly initiated an elaborate fact-finding process, searching for anything it could do in elections that wouldn’t clash with the company’s business imperatives. And now the brass wanted to know: Could Benaloh replicate what he’d attempted in Austin, this time for Microsoft? Benaloh’s feet were practically out the door before he could say yes.
In 2019, Microsoft launched its project under the name ElectionGuard. Once again, the technology would rely on Benaloh’s dissertation about homomorphic cryptography. Voters could still challenge their ballot and walk away from the voting booth with a hash code. But in key ways, ElectionGuard was different from STAR-Vote, especially in how it proposed to solve the problem of private industry. ElectionGuard would be built as a software development kit—a highly sophisticated plug-in, essentially, that would augment existing machines. The plan was to laboriously tailor ElectionGuard to several kinds of election technology, and then give it away to the big vendors for free. Microsoft wasn’t becoming a rival so much as it was housing the massive R&D division that voting companies couldn’t.
For ElectionGuard, yet another dream team has assembled. Benaloh is leading the cryptography, while Wallach is designing a risk-limiting audit system that would use Benaloh’s encryption. The secure systems firm Galois, STAR-Vote’s only bidder for its cryptography software, won a contract to assist ElectionGuard. And Microsoft has partnered with a nonprofit called VotingWorks—run by Ben Adida, the other student of Rivest’s at MIT—to build the hardware on which ElectionGuard would be demonstrated.
Earlier this year, Microsoft went searching for a real-life election where they could introduce ElectionGuard as a pilot. They settled on the town of Fulton, Wisconsin, population 3,000, about an hour’s drive west of Milwaukee. In February, the town would be voting in a tiny primary: a state Supreme Court seat and the local school board. For weeks leading up to the election, a squadron of Microsoft programmers parachuted into Wisconsin farmland, running test votes on dummy ballots with the names of Fulton’s favorite sons. (Willem Dafoe was one.) The people of Fulton were only too happy to be guinea pigs. Lisa Tollefson, the county clerk there, has a degree in industrial technology; she was fascinated, not intimidated, by ElectionGuard’s math. “You can actually add while it’s still encrypted, which is a-mazing,” she beamed.
Not everyone is so thrilled about ElectionGuard. The election vendors have varied in their degree of openness toward Microsoft’s complimentary toy. In part, that may be because they know that what’s free for them is also free for us—and for the next Dana DeBeauvoir who might come along to build a better voting machine. Indeed, VotingWorks, the nonprofit that built the Fulton demo, has its own ambitions to disrupt the voting industry. The vendors also say that, if they sign on, ElectionGuard will still need to run through a gauntlet of regulatory certifications—an expensive proposition. Innovation is simply harder under a mountain of regulation. “Like Silicon Valley, we’d like to ‘move fast and break things,’ but we do not have that luxury,” said a spokesperson for the vendor Hart. (Microsoft says it is optimistic that all three vendors will eventually jump aboard.)
Remarkably, some other skeptics can be found on the teams that designed STAR-Vote and ElectionGuard itself. Philip Stark told me he wishes he’d pushed for a radically different design on DeBeauvoir’s project. Sure, Benaloh’s system allowed for easy detection of fraud; but what would happen when you did detect fraud? You could rerun the election or conduct a massive audit, unleashing chaos in either case. The perfect knowledge afforded to voters by ElectionGuard might draw an even bigger target on elections, Stark speculated, especially for hackers who simply wanted to cause confusion and undermine trust. Another conscientious objector was Adida, the guy who was literally building the hardware for Microsoft’s demo in Fulton. With some heartache, he had concluded the field was moving too fast for its own good. What voters really needed was an affordable machine that worked. Would they even show up to vote on a system they couldn’t really understand?