Can Our Ballots Be Both Secret and Secure?

A mathematician’s quest to make American elections more trustworthy.
An encrypted ballot
Illustration by Tyler Comrie; Source Photographs from Tetra Images / Getty (hand); Jeffrey Coolidge / Getty (ballot)

Near the end of last year, I met Josh Benaloh, a senior cryptographer at Microsoft, in a conference room in Building 99 on the company’s sprawling campus, in Redmond, Washington, to talk about a fundamental problem with American elections. When we vote, we take it on faith that our ballots have been recorded—and recorded correctly. This is not always the case. In 2015, in Shelby County, Tennessee, hundreds of votes that were cast in predominantly African-American precincts disappeared somewhere between the polling place and the final tally. Where they had gone, and why, remains a mystery, because the ballots were cast on a touch-screen voting machine that did not provide a paper record. In 2018, three thousand votes went missing during a Florida recount. The next year, eight hundred uncounted ballots were found in a storage closet in Midland, Texas, after a hotly contested school-bond vote. To prevent these types of errors, Benaloh said, “You could, in theory, sign your name on your ballot and watch it go through the system.” In actual elections, however, that is precisely what is not supposed to happen. Our ballots are secret; after we drop them in the ballot box, they are, literally, out of our hands.

We don’t publish everyone’s name next to their candidate selections because, Benaloh said, “if we do that, we’ll also be opening up everyone to coercion and vote selling.” Both were features of American democracy well into the late nineteenth century, as voters revealed their choices in public—polling often took place during carnivals and festivals—either by voice or by dropping color-coded tickets, printed by each party, into a ballot box. By 1888, corruption had become so widespread that states began to abandon the spectacle. Voters in Massachusetts, following the examples of Australia and Britain, were the first in the U.S. to register their choices in a private space, on uniform ballots printed at public expense.

Since 2018, as part of a program called Defending Democracy, Benaloh has been working on voting software that attempts to solve the problem of trust in secret-ballot elections. At Microsoft, he is both a researcher and an internal consultant, using what he learns in his theoretical investigations to help the company develop secure products. His election software is based on a mathematical process that he invented called homomorphic encryption. Standard encryption obscures information behind unintelligible strings of letters and numbers; homomorphic encryption enables those unintelligible strings to be added together while still remaining behind the veil. Applied to elections, this technology could allow ballots to be aggregated, tallied, and verified without the individual votes having to be decrypted. If it worked, voters could check that their choices had been accurately counted, without anyone else ever seeing them.

At sixty years old, Benaloh is still boyish, with a stubbly beard and curly hair that is just beginning to gray. When he began thinking about how encryption might improve voting, as an undergraduate at the Massachusetts Institute of Technology, he had no sense that anything was wrong with the electoral system. “I didn’t really know a lot about elections,” Benaloh said. “I was a geeky kid growing up in New York who loved numbers, and elections were the time when everyone else was looking at numbers all day.” This was back when his surname was Cohen, before he married his wife, Laurie Blake, who was then a math teacher, and they scrambled the letters of their last names together. (“ ‘Ben’ sort of from the Latin prefix ‘benefactor,’ ” he told me, “and ‘aloh’ for the Hawaiian greeting ‘aloha.’ ”) While taking a class on cryptography, he started to see voting as a powerful way to show that the mathematical tools he was developing could be used to create a ballot that was transparent and private, and that the accuracy of elections could be verified from start to finish.

In 1987, after successfully defending his doctoral dissertation, titled “Verifiable Secret-Ballot Elections,” at Yale, Benaloh moved to Toronto, for a three-year postdoc appointment, and then to upstate New York, to teach computer science at Clarkson University. He continued to refine the math for end-to-end verifiable elections. This included an effort to figure out how to apply his research to voting by mail, which he is still attempting to do, but with more urgency, in the face of the COVID-19 pandemic. (“I’m getting close,” he told me recently.) He also settled on a method that would give voters a simple way to test the integrity of the process: they could “spoil” ballots. Unlike cast ballots, spoiled ballots would be decrypted, and anyone could check whether the choices they had made on those ballots were the ones revealed by the decryption. In 2012, Benaloh put his ideas into practice, as one of seven researchers tapped by the clerk of Travis County, Texas, to create an actual voting system from the ground up. “We were trying to design something that achieved the mathematical needs of end-to-end verifiability in a way that their voters could interact with,” he said. But STAR-Vote, as the system was called, never made it off the page and into the polling place.

In 2016, after it became clear that Russian intelligence was probing state election systems, Benaloh took part in an extensive investigation conducted by the National Academies of Sciences, Engineering, and Medicine to determine the best ways to enhance the integrity of American elections. Its September, 2018, report, “Securing the Vote: Protecting American Democracy,” offered forty-one suggestions for making voting more secure, including adding end-to-end verifiability. By then, Microsoft had witnessed attacks on the electoral system firsthand. The company had provided cybersecurity services for both parties’ conventions in the previous election cycle; in July, 2016, during the Democratic National Convention, Microsoft’s threat-intelligence team noticed that a nation-state actor, later traced to Russian intelligence, was registering fake Microsoft domain names. Not long afterward, the team saw the same thing happening during the French and European Union elections. Fake domains are often the bait for phishing expeditions, and Russian hackers were initially targeting academics and consultants likely to be involved in key issues of a campaign. “If you’ve infiltrated an academic who is going to be an adviser to the Presidential campaign, now it’s easier to hack into the Presidential campaign,” Tom Burt, the company’s vice-president for customer security and trust, told me. “That person sends an e-mail saying ‘look at this really cool document,’ and they click on it and they’re infected.”

In 2018, Microsoft created the Defending Democracy program, which offered political campaigns a service called AccountGuard. The company trained campaign staff on basic cyber hygiene and monitored their accounts for malicious activity. (AccountGuard is now offered to nonprofits, academics, and political consultants in twenty-nine countries.) The program reached out to Benaloh to ask about the possibility of using the kinds of mathematical tools he’d been developing to create a verifiable voting system. “Josh had been thinking about this for a long time, but nobody had made the investment to do it,” Burt told me. “It was going to be expensive, but it was something we could invest in, and I was willing to take a risk.” (Burt, a rugged, silver-haired veteran of corporate law, would only tell me that the cost was “in the seven-figure range.”)

Benaloh began to conceive what an end-to-end encrypted ballot-system toolkit would look like. It would be a piece of software—an add-on to voting machines or scanners, not the hardware itself. It would also be system-agnostic, able to work alongside most kinds of voting apparatuses, whether digital or analog. As Benaloh told Congress last June, with an end-to-end verifiable election system, “voters will have the ability to use their unique tracking codes to look up their encrypted votes and confirm that they are unaltered and correctly counted.” Election officials, meanwhile, he said, “will be able to publish C.V.R.S.”—cast-vote records—“without releasing sensitive raw election data that can be abused by malicious actors.”

By the time we spoke at Microsoft’s headquarters, the voting software Benaloh had helped develop, which is called ElectionGuard, was nearly finished, and a test run was being coördinated with election officials in Wisconsin. If all went according to plan, in February of this year a few hundred voters in a local primary election would participate in what promised to be the most secure and accurate election in the history of American democracy. Benaloh saw it as a step toward preserving the franchise itself. “There are a lot of valuable things that can’t be done if we don’t have democracy,” he told me. “It’s at the core of being able to advance society and science. It all starts with fair and trustworthy elections.”

A voting system has many parts: voter-registration databases, poll books, ballots, optical scanners, voting machines, tabulators, and lots of rules. In a rational system, national elections would be a uniform process overseen by a federal commission. But a quirk of history—a single line in the Constitution that cedes control to the states—has saddled American democracy with an idiosyncratic, fractured way of voting. There are more than nine thousand election jurisdictions in the country, each with its own way of upholding the franchise. Some require ballots to be printed with the candidates’ names in capital letters, and others mandate that the roster of candidates, no matter how long, appears on a single ballot page. There are jurisdictions that encourage same-day registration and allow any voter to obtain an absentee ballot, whereas others impose extreme voter-identification laws and severely limit polling hours and locations. To a large extent, the procedural differences in the way we vote—state to state, municipality to municipality—are functions of both the distinct culture of each locality and the requirements placed on them by state legislatures and secretaries of state. Those requirements are variable, sometimes onerous, and subject to the vagaries of politics.

Similarly, there is no uniformity to the way that Americans cast ballots. Some jurisdictions rely on hand-marked paper ballots that are counted manually or recorded by optical scanners, others handle voting with digital devices that mark the ballot for the voter, and still others use machines that do not provide voters with a paper backup of their choices. When machines are involved, they must be configured to adhere to local, state, and federal specifications—which means that there are numerous iterations across the country of the same model machine. But almost all of them have been manufactured by just three for-profit election venders—Hart InterCivic, Dominion Voting Systems, and Election Systems & Software—each owned by a different private-equity company that is under no obligation to the voting public to reveal its directors, profits, supply chains, or the algorithms powering its software. Although some jurisdictions require that companies pay to have their machines tested and certified by labs, not all places mandate this.

Private companies have long manufactured the equipment that Americans use to vote, but, starting in the nineteen-sixties, the machines have become increasingly computerized. After that transition began, companies were not just making the hardware—they were writing the code that registered and tabulated votes. A jurisdiction could buy or lease the equipment, but the vender owned the software, which was typically arcane and proprietary. In 1988, the investigative reporter Ronnie Dugger, writing in The New Yorker, observed that voting-machine companies “have long contended, in and out of court, that they own the source codes and must keep them secret from everyone, including the local officials who conduct elections.” This remains the case.

Dugger’s article was largely based on a report issued that same year by the National Bureau of Standards, written by a computer scientist named Roy Saltman. For more than a decade, Saltman had been identifying problems with electronic voting machines that continue to dog elections today: tallies that can’t be audited because the voting machines do not provide a paper trail, software and hardware glitches, security vulnerabilities, poor connections between voting machines and central tabulating computers, conflicts of interest among venders of computerized systems, and election officials who lack computer expertise. He also made an early case for encrypting votes. “If encryption is not used in the teleprocessing of vote data,” he wrote in a 1978 report, “there is a possibility that a sophisticated disrupter could delete correct data or replace correct data with false data,” which would result in the reporting of erroneous results.

Following the spectacular failure of voting equipment during the general election in 2000, when two million votes were disqualified and the Presidency came down to five hundred and thirty-seven contested ballots in Florida, Congress passed the Help America Vote Act (HAVA). HAVA sent nearly four billion dollars to the states to upgrade their election systems and encouraged them to swap out old-style equipment for computerized voting machines. Nearly every jurisdiction in the United States is now, in some way, computerized. Although this change has increased the need for election systems to be monitored, and their outcomes verified, a substantial number of computerized voting systems do not provide human-readable paper backups; there is no way to know if they have been hacked. “The best way to confirm that voting machines have not been tampered with is to audit them afterward,” Lawrence Norden, the director of the Election Reform Program at the Brennan Center for Justice, told me. “By audit, I mean comparing electronic totals with the paper ballot completed by the voter. If you haven’t done that, you are telling voters, ‘Trust us,’ without offering proof that the machine is giving you accurate totals.” In 2020, jurisdictions in at least eight states will be using voting equipment that does not provide a paper trail.

Just as those machines are, in a sense, black boxes, so, too, are their manufacturers. No one knows how much money they make or who exactly owns them. A request by the House Administration Committee last January to the C.E.O.s of the three big election venders to provide financial statements has so far gone unanswered. (One estimate by a Caltech and M.I.T. research group, in 2012, suggested that the voting-technology industry earned three hundred million dollars annually.) A request by the North Carolina State Board of Elections, in 2019, was not successful in unmasking the sources of private-equity behind three venders vying to replace the state’s election equipment. The contract ultimately went to Election Systems & Software, which alone commands nearly half of the market. The company is also known to have substantial ties to the Republican Party. Nelson Bunker Hunt and Howard Ahmanson, Jr., two right-wing Republicans, were investors in the companies that merged to create E.S. & S. The company has also donated tens of thousands of dollars to the Republican State Leadership Committee. “We’ve decided in this country that private venders will play a central role in running our elections and counting our votes,” Norden said. “Private equity owning these companies means the public doesn’t have a critical piece of information about our elections.” This is why, for three years, until they were informed by the F.B.I., in 2018, election officials in Maryland had no idea that the parent company of their election vender, ByteGrid, had ties to a Russian oligarch close to Vladimir Putin.

All of which might help explain why voters’ confidence in the integrity of U.S. elections is shaky at best. A recent Ipsos poll found that only about half of respondents believed that the 2020 Presidential election will be free and fair. Fifty-seven out of a hundred cybersecurity professionals queried by the Washington Post said that Americans should not be sanguine about the contest’s security.

Gregory Miller, the co-founder of the Open Source Election Technology Institute (OSET), told me, “The venders own this market. They have an iron fist on it. It’s paying them an annuity.” In his previous career, Miller worked at Apple, Sun Microsystems, and Netscape. Thirteen years ago, a chance conversation with a couple of his friends in the tech world led to the realization that no one in the elections industry had any incentive to create a better voting system. “This is what gave birth to the idea of open-source, public technology,” he explained. “We said, ‘Well, if they’re not going to bring about innovation on their own because it doesn’t pencil out for them, why don’t we just do it ourselves? What if we created a nonprofit project to build this entire code base and give it to America?’ ”

In contrast to Benaloh, who is targeting his efforts to protect the existing election system with a singular fix—by inserting the math of homomorphic encryption—OSET has plans to build a comprehensive suite of secure software that drives voting machines, scanners, tabulators, and registration databases, and to help election officials design their own district’s ballots. But it is now six years past when Miller originally estimated that the code base for a publicly controlled voting system—what OSET calls ElectOS—would be finished. “This project is crawling along, and it’s mind-blowing, because if we could actually get the money together, we could finish in about fourteen to sixteen months,” Miller said. He estimated that it would cost eight million dollars. “Mouse nuts,” he called it. “I’m trying to tell people that if we can’t trust the vote, what do we have left?”

Math is different from code. To expedite the translation of Benaloh’s proofs into machine-executable algorithms, Microsoft outsourced software development to a group of computer scientists at Galois, a company in Oregon known for creating secure digital systems and exposing unsecured ones. Joe Kiniry, the team’s senior member, has been working on election security for decades. As a postdoc in the Netherlands, in 2003, he and a few other academics surreptitiously examined an Internet voting system that the Dutch government was considering for future elections; on the last day of a weeklong demonstration for legislators, Kiniry and the others shut it down “in a very public way.” (He was almost deported as a consequence.) Kiniry eventually designed vote tabulators for the governments of the Netherlands and Ireland and an electronic poll-book system for the Danish government.

Galois, which is named for the French mathematician who figured out how to solve polynomial equations before he died, in a duel at twenty, was created, in 2000, at the request of a single client, the National Security Agency. Its assignment was to write “perfect cryptography.” (The intelligence agency still uses the programming language, which is called Cryptol.) By the time Kiniry got to Galois, in 2014, the company had branched out, taking on clients from other government agencies as well as from major corporations, such as Amazon. The other members of the Galois team are Daniel Zimmerman, who had known Kiniry as a student at Caltech, and Joey Dodds, who joined the company, in 2015, fresh from Princeton’s computer-science doctoral program.

Early on, Kiniry, Zimmerman, and Dodds were paying attention to a development in election security: the possibility that a statistical algorithm, called a risk-limiting audit, or R.L.A., could determine—with a great deal of statistical confidence—that the reported outcome of an election was correct. Unlike a traditional post-election audit, which compares the tally to a small sample of paper ballots, R.L.A.s use math to determine which ballots need to be pulled in order for there to be statistical confidence in the total. (The title of one of the first papers on the subject, “A Gentle Introduction to Risk-limiting Audits,” hints at its complexity.) “We are all friends with the core folks who had been working on defining and reasoning about various kinds of R.L.A.s,” Kiniry told me. “As we watched the topic grow, we realized that, eventually, someone would have to create R.L.A. products to support real elections.” In 2015, the group created an R.L.A. program called OpenRLA. Two years later, at the request of Colorado election officials, they built CORLA, which became the first statewide R.L.A. in the country. (There are now four states that mandate risk-limiting audits.)

Galois occupies two floors of one of Portland’s most architecturally distinct buildings, a postwar glass box that resembles—and predates—the Lever House in New York. The office has the look of a Silicon Valley tech company—bikes hanging on a wall, a beer tap in a shared social space, a large gong to call the staff to meetings—but with the secretive vibe of Los Alamos. I was asked to turn off my recorder, lest it inadvertently pick up classified information. Downstairs, in a quiet corner room, I sat opposite Dodds, Zimmerman, and their colleague Shpat Morina, a communications guy who seemed to be there as my minder. (Kiniry was out with a torn patellar tendon.) Each of us occupied one side of an octagonal Zen garden filled with a desert’s worth of sand. Someone had thoughtfully left a hand rake at each person’s place.

No one could quite remember when the ElectionGuard project began. Zimmerman thought that it might have been in the spring of 2018, or maybe that fall, when they received a query from Benaloh asking whether Galois would be interested. After a few video chats, Benaloh went down to Portland to hash out what it might look like for them to build a real-world, end-to-end verifiable election system using homomorphic encryption. As Kiniry recalled when I asked him about it later, “We hung out for a day or two in front of a whiteboard, basically sketching out how this might look concretely and how to do it so that you don’t have to be a cryptography expert to use it, since the existing election venders don’t have cryptography experts.” Back in Seattle, Benaloh wrote white papers based on those discussions. “In the normal world, people would then just go and start writing code,” Kiniry said. “But when it comes to building something that has high assurance”—encryption strong enough to comply with the N.S.A.’s specifications—“that’s crazy town. To make sure that the flow of the tool would match what voters would eventually see, we basically wrote a story in really clear, simple English that anybody, including my mother, can read. And then we translated the precise meaning of that story into math so that we could reason about its properties even before we built it.”

The story, which is six pages long, begins with a description of the cast of characters—election officials, voters, interested citizens, and the trustees who will carry out key steps of the election together—and the computers that will be needed to make the system work. It moves on to a prologue that sets forth everything that must be done in the run-up to Election Day and segues into an exhaustive, meticulous depiction of each feature of the voting process. There’s no plot to this story—it’s more catalogue than narrative—but by the last page it’s easy to imagine Kiniry’s mother reading through it and coming away with a reasonable understanding of how this scheme is meant to work.

In July, 2019, the Galois team, with Dodds as its lead programmer, successfully rendered Benaloh’s math as a software package that other developers could use to integrate end-to-end verification into actual voting systems. To facilitate its adoption by venders, ElectionGuard was uploaded to GitHub, a Microsoft-owned online repository for open-source software. Open source allows anyone to study the code, comment on its architecture, and look for errors. The code is also there for the taking, offered freely to whoever wants to use or modify it. This accessibility reflected Benaloh’s and Burt’s desire to see end-to-end verifiable election systems propagated far and wide. “We’re not getting paid, and we deliberately designed it to be platform-independent,” Burt said. “What we want is for elections to be secure, right?” According to Kiniry, so far, commentators have suggested more than forty edits and modifications to the code.

In years past, election-machine venders have threatened to sue researchers who tried to examine their proprietary software. But releasing code publicly—especially code that underwrites the machinery of American democracy—is not just equitable, it’s sensible. Ten years ago, the District of Columbia, in partnership with Miller’s organization (then called the Open Source Digital Voting Foundation), planned to introduce an Internet-based voting system for overseas absentee voters. After the D.C. elections board and O.S.D.V. invited hackers to stress-test the system, a group of computer-science students at the University of Michigan found an error in the code that they were able to exploit. They gained access to the system’s ballots, uncovered a document that allowed them to impersonate actual voters, and modified the Web site’s “thank you” page to play the university’s fight song. As they wrote in a subsequent paper, “We had gained near-complete control of the election server. We successfully changed every vote and revealed almost every secret ballot.” It took two days for the D.C. elections office to notice the breach. In light of it, the system was scuttled.

Though they are still on the Galois payroll, Dodds, Zimmerman, and Kiniry have started their own election-related company called Free & Fair. Having written the ElectionGuard software-developer kit for Microsoft, they felt uniquely positioned to partner with election venders to integrate it into voting machines. “There are a lot of things that venders are good at that we’re not,” Dodds said, “such as getting machines into millions of polling places around the United States and doing on-the-ground tech support and sales. But we can do things in security that venders aren’t as equipped to do.”

The next time I saw Benaloh, we were in Fulton, Wisconsin, a farming town on the Rock River, forty minutes southeast of Madison. It was the third week of February, and blinding snow obscured both the river and the farms, but it had not deterred dozens of reporters from converging on the Fulton town offices. Outside, the town clerk, Connie Zimmerman, was shovelling the sidewalk vigorously—“It’s part of my fitness plan,” she said—and urging visitors not to block the entrance. In less than twenty-four hours, she would be overseeing a primary election for her town of thirty-five hundred people, which covers two school districts. The town would be voting for a state Supreme Court justice; one district would also be voting for school-board candidates. Benaloh and his wife, Laurie, had come, along with Burt and other members of the Defending Democracy team. For the very first time, ElectionGuard was going to be used in a live election.

Wisconsin, with a thousand eight hundred and fifty municipalities, accounts for a fifth of all election districts in the country. Each of them requires election equipment both to be certified by the Election Assistance Commission, a federal agency, and compliant with state election laws. The voting equipment in which ElectionGuard was embedded for the pilot—which was not certified by the E.A.C.—was able to bypass a full review because the final vote tally on primary night would be determined by a hand count of paper ballots, not by the voting equipment itself. “Wisconsin did a truncated review process,” Richard Rydecki, the assistant administrator of the Wisconsin Elections Commission, told me. The commission and the Defending Democracy team held a mock election in Fulton in December; an all-day stress test at the commission’s office in Madison in January; and finally, a week before the primary, another trial run back in Fulton. The primary would be the first time the town would use computerized voting equipment. Once it was over, Fulton would go back to paper ballots.

“It feels good to be here,” Benaloh said, as he walked me through the community room, which was being transformed into the next day’s polling place. There were tables along three walls, behind which the poll workers would sit at stations marked one through six. Voters would check in at the first station; get a smart card programmed with their ballot at the second station; insert the card into one of five voting machines at the third station and make their selections; and bring the card to the printer at the fourth station, where their ballot would be encrypted. A paper summary of their choices would then be printed on a white sheet of paper, and an ElectionGuard tracking code would be printed on a yellow sheet. The fifth station was a pair of private carrels where they could review their ballot choices. If they found a mistake or changed their mind, they could go back to the first station, where their ballot would be spoiled, and they could start the process again. Otherwise, they would proceed to the sixth station, where two poll workers would sign the back of the ballot (a requirement of Wisconsin law), and drop it in the ballot box on their way out of the room. The yellow ElectionGuard sheet, which was theirs to keep, would allow them to verify online that their ballot had been counted.

The snow had stopped by seven the next morning, when the polls opened, but the roads were glare ice, and schools were on a two-hour delay. Voters drifted in anyway, almost all of them retirees, along with the occasional farmer. A row of chairs had been cordoned off for observers. Benaloh was sitting pensively in the gallery, watching the flow of voters and keeping an eye on what they did with the yellow sheet that had the ElectionGuard verification code on it. Laurie Benaloh was timing how long it took a voter to move through the process, which turned out to be about five minutes. In larger municipalities, computerized voting machines often cause long lines because there are not enough of them to accommodate the crush of voters. This was not a problem in Fulton, where turnout was low and the ballot choices were limited. Benaloh rarely left his seat. At one point, I asked him whether, thirty years ago, he could have imagined his math turning into all of this. “If it were just me,” he said, “I’d still be in front of a blackboard—or maybe a whiteboard now—writing symbols. I’m just the theorist. I have ideas. I’m beside myself with joy, but I can’t take credit for making this happen.”

Benaloh singled out Defending Democracy’s director of strategic projects, Robert Carter. A self-described “products guy,” Carter, who goes by R. C., figures out how to move concepts off the page and into the market. His task with ElectionGuard, he told me, was to “productize Josh’s idea about end-to-end verifiability in a software-development kit that other venders can use.” It was Carter who reached out to VotingWorks, a nonprofit vender with whom Microsoft had a previous relationship, and oversaw the integration of ElectionGuard into its ballot-marking machinery.

In the past, VotingWorks, which launched in 2018 and is committed to open source, has been criticized by election-integrity advocates for creating a system that uses a QR code to tally votes. Because QR codes and bar codes are unreadable to the naked eye, there is no way to tell whether they accurately represent voter intent. (Researchers have shown that bar-code systems can be hacked. Its defenders contend that this problem can be solved if there were a hand count or R.L.A. of human-readable ballot choices.) This unintelligibility would not be an issue for the ElectionGuard pilot, however, because the final tally would come from a hand count. But the VotingWorks system was turning out to be a problem for a different reason. Voters were reacting to the experience of using a computerized election system for the first time and missing the true novelty: they were participating in the first end-to-end verifiable election. “Since this is a different system than voters in this jurisdiction are accustomed to, and they may not appreciate the subtlety of getting two pieces of paper, I’m worried that ElectionGuard will get buried,” Benaloh said.

After the polls closed, at 8 P.M., the ballots were divided into piles of fifty to be fed into a scanner. Three hundred and ninety-eight people had voted, Connie Zimmerman announced, and there had been four spoiled ballots. As Benaloh had told me back in Redmond, spoiled ballots were central to his proof. The other fail-safe built into the process, Benaloh said, was that anyone could write a program to verify the outcome. “With a system that uses ElectionGuard, you, as a voter, can say, ‘Well, I don’t understand any of this math, but my candidate or political party or union or news source can run this through a verifier program to make sure the results are correct.’ ” He was already developing a verifier program with students at the University of Washington.

When the ballots were delivered to a panel of seven poll workers for the manual count, the crowd collected in the center of the room to watch. And then a funny thing happened: the hand count didn’t jibe with either the ElectionGuard or the VotingWorks tallies, which agreed with each other. There was a moment of whispered consternation, and then the poll workers went back to their stack of ballots and found that one of them had been put in the wrong pile and miscounted. A cheer went up: all three tallies matched. Benaloh’s math had added up. The ElectionGuard software had worked.

The next morning, as the Microsoft crew, bearing doughnuts and coffee, held a review session for voters to talk about their experience with ElectionGuard, I caught up with Burt, who had been up late, celebrating. “Last night was the first time we’ve had the actual experience of setting up in a polling place, collecting that data, encrypting it, counting it without decrypting it, doing all that, you know, mathematical wizardry and then having the result come out right,” he said. But the highlight for Burt came ten minutes after the hand count showed that ElectionGuard’s technology worked: “These two poll workers who had been there all day asked me to show them what this whole thing was about. So I just scanned their ElectionGuard codes on my phone and within seconds they could see that their vote was counted. And in both cases, the reaction was, ‘Wow, that’s really cool.’ Because it is really cool.” In the community room, Benaloh was talking to one of the seven voters who had shown up with their yellow ElectionGuard tracking sheets. “Just two years ago,” I heard Benaloh say, “all this was aspirational.”

There were still years of work to do—more code to be written to enable ElectionGuard to function with other voting systems, more conversations with election officials, more pilot projects in other jurisdictions, more outreach to venders to convince them to add ElectionGuard to their products. With the 2020 election out of reach, Burt was aiming for a soft rollout over the next four years. For now, the pilot was evidence that technology, which, in so many ways, has complicated elections and made them less secure, was able, if only in this very particular way, to strengthen the electoral process. “It’s going to be a significant benefit to the voting public and to their trust in the system,” Burt said.

Even with end-to-end verifiability, though, the voting process remains at risk. Microsoft is not challenging the existing business model of election venders, some of which run their devices on Microsoft’s Windows operating system—the company is ignoring it. Adding ElectionGuard to voting machines does not eliminate private equity’s ownership of the electoral system or take unsecured, impossible-to-audit voting machines out of circulation. Vote-by-mail, which may become the preferred method of voting in light of the global pandemic, presents its own problems, because filling out ballots in private at home or in the workplace could lead to the kinds of coercion that the secret ballot was meant to curtail. And the prospect of hacking by foreign adversaries—or by any malign actor—will always be present in a system as decentralized and inconstant as the one that grew out of that single line in the Constitution. “I’m not going to claim that we have any way of securing elections, and that’s a problem,” Benaloh told me. “We’ve got an asymmetric battle with nation-state actors who are attacking little counties, and they can destroy data and they can corrupt data and they can do all sorts of things. But I am claiming that adding end-to-end verifiability makes any tampering with the data detectable—and not just by election officials, but detectable by you and me and candidates and news media and anybody else. And that’s a real value.”