Today, at the Microsoft Build developer conference, CEO Satya Nadella announced ElectionGuard, a free open-source software development kit (SDK) from our Defending Democracy Program. ElectionGuard will make voting secure, more accessible, and more efficient anywhere it’s used in the United States or in democratic nations around the world. ElectionGuard, developed with the assistance of our partner Galois, will be available starting this summer to election officials and election technology suppliers who can incorporate the technology into voting systems. Among ElectionGuard’s many benefits, it will enable end-to-end verification of elections, open results to third-party organizations for secure validation, and allow individual voters to confirm their votes were correctly counted.
We are also announcing today that we have partnered with major election technology suppliers who are exploring the integration of ElectionGuard into their voting systems. We currently have partnerships with election technology suppliers responsible for more than half of the voting machines sold in the U.S. To help these partners, other vendors and election officials to visualize how ElectionGuard can modernize and secure the vote, we are building a reference voting system, which we will make public later this year, that will showcase the capabilities that ElectionGuard enables.
We believe technology companies have a responsibility to help protect our democratic processes and institutions. Modern technology can be used to ensure the voting process is resilient. At the same time, ElectionGuard is not intended to replace paper ballots but rather to supplement and improve systems that rely on them, and it is not designed to support internet voting. In short, ElectionGuard is a new tool for use by the existing election community and government entities that run elections.
ElectionGuard can be used to build systems with five major benefits that will protect the vote against tampering by anyone, and improve the voting process for citizens and officials:
- Verifiable: Allowing voters and third-party organizations to verify election results.
- Secure: Built with advanced encryption techniques developed by Microsoft Research.
- Auditable: Supporting risk-limiting audits that help assure the accuracy of elections.
- Open source: Free and flexible with the ability to be used with off-the-shelf hardware.
- Make voting better: Supporting standard accessibility tools and improving the voting experience.
ElectionGuard democratizes the ability to verify election results by enabling direct public confirmation of the accuracy of those results. Voters are able to verify the correct recording of their votes, and anyone – including voters themselves – can verify that all of the recorded votes are correctly counted. As with current election systems, voters will remain unable to disclose their recorded votes to protect their privacy.
ElectionGuard verification is accomplished in two ways.
First, ElectionGuard provides each voter a tracker with a unique code that can be used to follow an encrypted version of the vote through the entire election process via a web portal provided by election authorities. During the process of vote-casting, voters have an optional step that allows them to confirm that their trackers and encrypted votes accurately reflect their selections. But once a vote is cast, neither the tracker nor any data provided through the web portal can be used to reveal the contents of the vote. After the election is complete, the tracker codes can be used by voters to confirm that their votes were not altered or tampered with and that they were properly counted.
Second, ElectionGuard also includes an open specification – or a road map – which allows anyone to write an election verifier. Voters, candidates, news media and any observers can run verifiers of their own or downloaded from sources of their choosing to confirm tabulations are as reported. The combination of the tracker – which allows individual voters to verify that their votes have been accurately recorded – and the verifier – which allows anyone to verify that the recorded votes have been accurately counted – enables full “end-to-end verification” of the correctness of election results. It will not be possible to “hack” the vote without detection.
ElectionGuard provides a complete implementation of end-to-end verifiable elections. It is designed to work with systems that use paper ballots, supplementing today’s tabulation process by providing a means of public verification of the accuracy of reported results.
To enable these two forms of verification, ElectionGuard uses something called homomorphic encryption – which enables mathematical procedures – like counting – to be done with fully encrypted data. The use of homomorphic encryption in election systems has been pioneered by Microsoft Research under the leadership of Senior Cryptographer Josh Benaloh. With homomorphic encryption, individually encrypted votes can be combined to form an encrypted tabulation of all votes which can then be decrypted to produce an election tally that protects voter privacy. By running an open election verifier, anyone can securely confirm that the encrypted votes have been correctly aggregated and that this encrypted tabulation has been correctly decrypted to produce the final tally. This process allows anyone to verify the correct counting of votes by inspecting the public election record, while keeping voting records secure. The use of homomorphic encryption to enable verification is separate from and in addition to the process of paper ballots counted as an official election tally.
Auditing the outcomes of elections further helps increase public confidence in the outcome as well as improving operational performance of elections. In addition to the public verification enabled by ElectionGuard, the SDK explicitly supports an enhanced form of statistical administrative auditing. Efficient risk-limiting audits are conducted by election officials with the aid of an electronic record of every ballot cast in an election. In this process, ballot records are selected at random and then compared against corresponding paper ballots to confirm that they match. By individually comparing paper against corresponding electronic records, high confidence in an election result can be achieved by examining far fewer ballots than would be necessary by traditional means. The process used by ElectionGuard allows these efficient risk-limiting audits to be publicly observable and verifiable without publishing the full set of electronic vote records.
The ElectionGuard SDK, as well as components of the reference voting system we’re building, will be released under the MIT Open Source License and made available on GitHub. Microsoft is offering this software to the election industry free of charge and with the intent of election technology vendors adopting components as they see fit. The SDK is designed to be used stand-alone or easily integrated as part of a vendor’s larger system. Because it’s open source, ElectionGuard can be used not just on devices running Windows but on off-the-shelf devices from other major technology companies as well as custom hardware designed by election technology suppliers. We believe this will enable ElectionGuard to be deployed in a variety of ways.
Make voting better
Microsoft’s mission is to empower every person on the planet to achieve more, and that commitment extends to those with disabilities who want to exercise their right to vote. Disability advocates we speak with want primary voting systems that are more accessible. The reference voting system we are building will demonstrate how ElectionGuard can be combined with readily available devices to build accessibility into the primary systems everyone uses.
We also wanted to make the whole voting experience easier and more modern for everyone and spent significant time thinking about the challenges people face on election day. One frustration is the difficulty of doing research on candidates and initiatives at the polling place. Our sample reference will showcase how people can make their selections at home, where they can easily research their choices, then bring a QR code to the polling place to scan and pre-populate their ballot.
When it’s time to vote, ElectionGuard supports the use of standard tablets and PCs running a variety of operating systems as a ballot marking device, which can be used to create an interface that looks and feels like modern applications people interact with every day on their phones and tablets. After people make their choices, their selections can be printed on a physical sheet of paper that they can review for accuracy and place in the ballot box as the official record of their vote.
Finally, voters will receive trackers that confirm their votes and can be used to verify that their votes were counted correctly after an election. ElectionGuard can also be used to enable optional scenarios for people to share on social media the fact that they voted, serving as a virtual “I voted” sticker encouraging others to participate in the democratic process.
We are working with a range of election technology suppliers who are excited to explore incorporating ElectionGuard into their current offerings or build new product lines incorporating the technology. These partnerships represent organizations that supply more than half of the voting systems used in the United States today including Democracy Live, Election Systems & Software, Hart InterCivic, BPro, MicroVote, and VotingWorks. We will continue to work with these partners, and any other interested vendors, over the coming months as they evaluate ElectionGuard. The early feedback has been exciting.
The code for ElectionGuard is being built together with our development partner, Galois. We are excited that Galois recently received $10 million in funding from DARPA to build a demonstration voting system to help evaluate secure hardware DARPA researchers are developing as part of a separate DARPA program. The agency views ensuring the integrity and security of the election process as a critical national security concern and plans to implement the ElectionGuard SDK as part of their effort to enable an end-to-end verifiable component in future versions of their demonstration voting system. It is encouraging to see DARPA investing in technology, which will not only find an application in securing the voting process but could contribute to more secure and transparent computing for a variety of devices and applications.
We are also pleased to announce a partnership with Columbia University’s Columbia World Projects. Columbia professors in statistics, political science, computer science, and international and public affairs and Microsoft will be joining forces to bring ElectionGuard to life by piloting the technology in the coming election cycle.
The ElectionGuard SDK will be available through GitHub beginning this summer. We encourage the election technology community to begin building offerings based on this technology and expect early prototypes using ElectionGuard will be ready for piloting during the 2020 elections in the United States, with significant deployments for subsequent election cycles. Over time we will seek to update and improve the SDK to support additional voting scenarios such as mail-in ballots and ranked choice voting. Microsoft will not charge for using ElectionGuard and will not profit from partnering with election technology suppliers that incorporate it into their products.