Security Thrives in Sunshine: A Q&A on Columbia World Projects and Microsoft’s Election Security Project

Last month, Columbia World Projects announced that it will partner with Microsoft to pilot ElectionGuard, a new technology aimed at improving the security of elections and confidence in the voting process. In this Q&A, Steven Bellovin, the Percy K. and Vidal L. W. Hudson Professor of Computer Science at Columbia University, and Josh Benaloh, a Senior Cryptographer at Microsoft Research, two of the lead collaborators on the project, discuss how the project took shape and what it aims to achieve.

Photo of buttons with the word "Vote" printed on them

Let’s start broadly. What is the problem that this project aims to address?

JOSH BENALOH: Elections are extraordinarily complex. They have many, many aspects and many places where they can go wrong and we’re not by any means trying to address everything. We’re not trying to address disinformation issues, gerrymandering issues, issues with voter registration and suppression – all of which are of course very important. This project is focused specifically on the correct casting and counting of votes. What this project will do is implement technology that will enable voters to have very high confidence in the accuracy of that casting and counting.

STEVEN BELLOVIN: There’s a quote attributed to Stalin – that he doesn’t care who votes as long as he can count the votes. It’s designed to deal with that kind of problem: How do you know the votes were accurately counted?

BENALOH: Polls are showing that confidence in the accuracy of U.S. elections is going way down. That’s a direct threat to democracy. This is something that we’re addressing—the confidence in and integrity of our electoral system.

BELLOVIN: Every news article about Russian interference in the 2016 election says there’s no evidence that they tampered with the vote counts. But what if they did? What if they tried to? This is a way to detect it. Our current election technology does not allow any post-facto ways to discover tampering or other problems that arise in counting votes. Given the statistics on public trust in elections, that’s a significant social problem.

BENALOH: You know the Washington Post’s slogan, “Democracy Dies in Darkness”? Security is closely tied to that. Security thrives in sunshine. Sunshine is a very good disinfectant for things that go wrong, and this project offers more security.

Let’s talk a little bit about the specifics of the project. What is the technology that is being introduced?

BENALOH: ElectionGuard is a software toolkit that Microsoft is working with partners to have built. The toolkit can be added to existing election technology to allow for an entirely separate, supplementary counting of votes, which offers another way to verify their accuracy.

When I mail in my ballot today, I can go online and enter my registration number and I see a claim: “We’ve received your ballot, the signature’s been verified.” That’s a claim from my local registration office. I could believe them or not. In the case of ElectionGuard, it’s more than a claim. Voters can actually see that their vote is part of the count and confirm that it’s been accurately counted. The project will initially roll this technology out in one or two pilot jurisdictions during an election.

What does this technology actually look like for a voter?

BENALOH: While you’re voting you would get a tracking code. The tracking code is mathematically tied to the contents of your ballot, and you have the ability while you’re voting to confirm that the tracking code aligns with the actual selection that you made. Once you leave the voting site, you no longer have the ability to match the code against the actual selections. But you can see that your vote hasn’t been changed and that the vote is accurately included in the election tally: Election officials provide a mathematical proof that all of the ballots that are listed, including yours, correspond to the tally that has been announced in the election.

The technology doesn’t allow you to look at the content of your vote after the election because if you could do that, you could show someone else how you voted and that would allow you to sell your vote or be coerced.

BELLOVIN: The project is set up to deal with crazy threat models that election people have learned are very real over the years.

How did this project first come about and how is each of you involved?

BENALOH: I have been doing research in this area for a very long time – an embarrassingly long time. My 1987 doctoral dissertation was entitled, “Verifiable Secret-Ballot Elections.” Much more recently, I was part of a research study on the future of voting. One of the chairs of the committee for that study was Lee Bollinger, the president of Columbia. In our study report, we covered these technologies, in particular end-to-end verifiability and risk-limiting audits, and President Bollinger invited me to pitch the idea to Columbia World Projects last fall. And this was selected as one of the projects that went forward from the Forum meeting where I pitched it.

BELLOVIN: I took part in the Forum meeting where this idea was first proposed. I’m working on the systems aspect: How does this technology actually appear to people, how does it get integrated into the existing technology? How does it tie to the poll books? What does a user actually have to do in order to take advantage of this system? How does it affect, for example, election night reporting of results? Colleagues from other departments at Columbia – including Michael Ting and Andrew Gelman, along with Ronald Rivest at MIT – are also part of the team working with Columbia World Projects to design the project and oversee the logistics of how the technology gets implemented in a real-world jurisdiction, and study how it can be used in the future. All of this is about how to make something like this work in the real world.