IT WAS NOT the first time Dana DeBeauvoir had moved a room full of men. At 9 o'clock in the morning on August 8, 2011, she adjusted a pair of half-frame reading glasses on the end of her nose, got up behind a tabletop podium in a downtown San Francisco hotel, and set out to enlist some of her most bitter adversaries in a dare. “I really appreciate the opportunity to visit with you today,” she began in a warm tone of Southern geniality, flashing a wide, radiant smile.
DeBeauvoir (pronounced day-buv-WAH) introduced herself as the chief clerk and election administrator of Travis County, Texas, better known as the home of Austin. She was dressed in a dark tailored jacket and ruffled blouse, with nails polished in her favorite candy-apple red. Gazing back at her was an audience of academics, computer scientists, and hacktivists, whose collective occupation was warning the American people that the country's election technology was dangerously vulnerable. Most of them slouched around banquet tables in the programmer's uniform of mussed hair, rounded paunches, and untucked shirts. They were assembled for one of the nation's preeminent conferences on election technology, and DeBeauvoir—who had a fairly average grasp of computers—was the event's unlikely keynote speaker.
Trying to break the ice, she stammered through a yuk-yuk computer joke that strung together references to Python and CherryPy 3.2.0. It was greeted with scattered snickers. Then she cut the air by acknowledging what everyone already knew: “There's some unpleasantness here.”
The room had been bracing for this. For the past 10 years, county election officials like DeBeauvoir and cybersecurity experts like those in the audience had been mired in opposing trenches. The “unpleasantness” began in 2002, when the lingering debacle of Florida's butterfly ballots prompted Congress to authorize billions of dollars for states to buy new digital voting machines. Among the most popular were devices known as DREs, direct-recording electronic voting machines. No sooner had they been taken out of the box, however, than a wave of computer scientists appeared over the hill like a guerrilla infantry. They assailed the machines' embarrassing security flaws and excoriated the technology vendors who built them.
But it was the nation's election administrators—the 10,000 or so secretaries of state, county clerks, and township presidents who actually ran the country's elections—who ended up taking all the heat. When local voters skimmed an incendiary op-ed that claimed the governor's race could be hacked, they didn't complain to the obscure manufacturers that virtually monopolize American voting; they called on their clerks, upset and confused. If for nothing but to quell mass panic, many election clerks had by the mid-2000s firmly locked arms with one another, pounding the same adamant message: They told voters to ignore the scientists, whom they portrayed as reckless doomsayers, and insisted that their machines were secure.
Many knew that wasn't true, but that was beside the point. From then on, the two sides eyed each other spitefully. The computer scientists took potshots from tech conferences and C-SPAN; the clerks hurled guff from local papers and town halls. The academics showed a hacker's flair for theatrics. They dug up voting machines whose encryption codes were “abcde,” and they cooked up malware that forced DREs to run Pac-Man or swing elections for Benedict Arnold. One professor and his grad students hacked the real-life voting system of Washington, DC—forcing the machines' auxiliary speakers to blast a school fight song and changing the ballot choices to “Bender” and “Hal 9000.”
One of the earliest stuntmen was a Texas professor named Dan Wallach. In 2001 he was called to testify about electronic voting machines before the city council in Houston, where he taught computer science at Rice University. During his testimony, Wallach stood up, crossed the hearing room, and opened a voting machine's hatch, pulling out its PCMCIA memory card. “This is where the votes are,” he said, waving the card while cameras clicked. “This can be attacked.”
Soon Wallach was accepting invitations to speak all across Texas, often leaving a trail of angry election officials fuming in his dust cloud. It was inevitable that he would eventually lock antlers with one of the most powerful clerks in Texas: Dana DeBeauvoir.
Related Stories
ELECTION TECH
Voting Machine Makers Are Finally Playing Nice With Hackers
LILY HAY NEWMAN
HACK THE VOTE
Some Voting Machines Still Have Decade-Old Vulnerabilities
LILY HAY NEWMAN
ELECTIONS
One IT Guy’s Spreadsheet-Fueled Race to Restore Voting Rights
JACK HITT
DeBeauvoir had been one of the first clerks in the country to adopt DREs, outfitting Travis County with a model called the Hart eSlate. Soon, she and Wallach were going to war in the pages of The Austin Chronicle. Wallach lambasted the voting machine manufacturers for keeping their code secret instead of going open source. “The bad guys can tear it apart,” he told the paper. DeBeauvoir responded with measured reassurance but had sharp words for Wallach and his ilk. She told the paper that she was bending over backward to secure the machines—all for “appeasing a worry that is a little dubious.” She torched Wallach's rhetoric as “awful” and “unfair” and later called him “a rock-thrower.”
By 2011 this history was well known to everyone assembled in the conference room of the San Francisco Westin—where Wallach himself sat in the audience, watching DeBeauvoir from a distance.
Onstage, DeBeauvoir found her bearings and then turned up the heat. She wanted the computer scientists to know what the past decade had been like for her. She was tired of seeing clerks “vilified by electronic voting critics who made broad sweeping statements”—attacks that denigrated not just machines but “the people who administered them.” Every year the broadsides continued, “without any advice to those of us who are in the field.” She accused the academics of doing little to quell the conspiracy theories their research tended to spawn, meaning that “academic papers and internet rumors were often given equal weight in the public discourse.” All this while she toiled endlessly just to convince citizens and politicians that elections were fair.
DeBeauvoir was practically seething, and the audience shifted nervously. Then, out of nowhere, she changed tack. Lately, DeBeauvoir confessed, she'd begun to see things from their perspective. Once upon a time, the specter of malware and advanced persistent threats felt “like science fiction.” Now she'd come to understand that the scientists had felt ignored as much as she had. For the first time, a room of computer experts heard sounds of real sympathy from the mouth of an elections official. “For you, I imagine it felt—as we would say in Texas—like hollerin' down a well,” DeBeauvoir said. Today, she wanted the scientists to know “how much this country needs your wisdom, your knowledge of science”—and help.
She had come to the conference with one purpose: to invite the computer scientists to design a new voting system entirely from scratch. It would have a paper trail, an easy-to-use interface, and the greatest security conceivable. And, she declared, “The. Source. Code. Must. Be. Open.”
By now, the attendees were frozen in stunned silence. One later recalled it was all he could do not to fall off his chair. It was as if someone from the IRA had breezed through the door and casually declared peace in Northern Ireland. But DeBeauvoir was in earnest. “The finding of a problem also comes with the obligation to help find a solution,” she chided them. “May I suggest to you: Now is the time when you can put your mark on the future,” she declared. “And you can use Travis County to make that mark.”
DeBeauvoir had started her speech as a visitor from a hostile tribe. She ended it to fervent applause. When she opened the floor to questions, people rushed to the microphone. One was a computer scientist named Josh Benaloh, who was so excited he began brainstorming on the spot. “There are some other methods that might provide even greater assurance,” he said cryptically. “I'd love to talk to you about it.”
She pointed to another hand that shot up and realized it belonged to Dan Wallach. “I've been involved in Texas politics for long enough now to know that change in Austin doesn't happen easily,” Wallach said dryly. “How are you gonna pull this off?”
“I might not!” DeBeauvoir shot back, to nervous laughter. But she felt obligated to try. Since Bush v. Gore, voting technology had barely improved in the richest country on earth. Over the previous decade, while civil servants and computer scientists had been at each other's throats, the vendors had been content to keep churning out the same mediocre and overpriced equipment. “Ten years!” she said. “And what's changed?”
She'd been raised in the Lone Star philosophy of asking forgiveness, not permission: “Ignore the obstacles, screw the rules, go get something better.” The crowd of PhDs was studying her skeptically, and DeBeauvoir stared right back. “I'm an Austinite,” she said flatly. “We're an odd mix of dreamers and realists. And if the establishment says it can't be done—well, you can bet that's the one thing we're gonna be hell bent to go do.”
DANA DEBEAUVOIR WAS born in Fort Worth and grew up in nearby Arlington, the oldest of four siblings. In school, teachers lauded the plucky kid with good grades. They also noticed a precocious tendency to shout down bullies and shoo them away from prey. That was the only sign something might be wrong. As DeBeauvoir reflects, “I guess I was a good actress.”
The truth was, DeBeauvoir was trapped in a nightmare. Since the age of 9, a dark cloud of sexual abuse at the hands of an adult had hung over her childhood. “There was no help.” She understood nothing would be done, nothing could be done—“except to plan my escape,” she says. “Which I did.”
At 18, DeBeauvoir set out on her own. She worked in an orthodontist's office, ravenous to attend college. Later, her therapists would suggest that her intelligence was a key factor in her ability to survive the trauma of her upbringing. Another was that, even as a child, DeBeauvoir had little trouble recognizing that it was the adults in her life who were morally wrong, not her—a realization that placed her in a tiny minority of child victims. The experience “made for a lousy childhood,” she says. It also made for an exceptionally clear-eyed adult. DeBeauvoir worked herself to the bone, attending the University of Texas at Arlington three years after leaving home. As she put it, “Education was my ticket out of abuse.”
By then, her acute sense of injustice had pushed her toward public service. In 1979 she arrived at the LBJ School of Public Affairs, one of the premier policy schools in the country. For the first time, DeBeauvoir had found her people: puzzle solvers and brilliant pragmatists, students who'd otherwise fetch a killing in the private sector but who dreamed of a life in public service. Her professors included New Deal visionaries like Wilbur Cohen, “the man who built Medicare,” as well as the little-recognized postmaster general who instituted the zip code system.
After graduating, she took a job in Austin, working for the local tax assessor. But soon her boss encouraged her to run for office. She won her first election, and in 1987 became the clerk of Travis County at age 32. “I was very green to politics,” she says. “I didn't know anything, really.” But she had faith in the power of competence. “That would be the inscription on my tombstone—‘Be competent,’” DeBeauvoir laughs. “Either that or ‘She ate life with a big spoon.’”
As the clerk of the state's fourth-largest city, DeBeauvoir had to manage a sprawling bureaucracy: property deeds, marriage licenses, and—this being Texas—steer branding. She also had to hold her own in the male-dominated world of Texas politics, “a boots and bellies convention,” as she puts it dryly. What she lacked in managerial experience she far exceeded with heart-melting charm and a bottomless patience for details. In her private life, she was drawn to tinkerers and engineers. In Austin she fell deeply in love with a man named Ben Smithers, an Eagle Scout who raced sailboats, cycled competitively, played several instruments, and built airplanes by hand. They were married on her grandmother's birthday, to honor the only person DeBeauvoir could trust during years of abuse.
But the part of DeBeauvoir's job she was least prepared for was the one she'd have to tackle first: running Austin's elections. She'd volunteered in one election before she took office to see how the “back of the house” worked. But the LBJ School had skipped over the subject entirely. And she would have to learn fast. The first election was less than six months away—just one in the parade of school board votes, township primaries, and Supreme Court contests that make running an elections office a year-round job. “Just thrown into the job!” she says. And her experience was far from unusual. “For a hundred and fifty years, the way we brought up our elections officials has always been trial by fire,” she says. “We kind of fall into it.”
DURING THAT SAME spring of 1987, while the new Travis County clerk was deciphering election law in Texas, a young mathematician 1,500 miles away at Yale University was submitting a doctoral dissertation that would eventually change the course of DeBeauvoir's life. The paper was called “Verifiable Secret-Ballot Elections,” and its author was Josh Benaloh, then a 28-year-old grad student. Because of new techniques in cryptography, it began, mathematicians could now perform “tasks that seem to defy intuition.” Those techniques, he wrote, made it theoretically possible to construct an election in which everyone's ballot could remain completely secret, while, at the same time, the record of everyone's vote could be “verifiable by all participants”—like a rabbit that's pulled out of a magician's hat and stays hidden inside it at the same time.
Back then, the field of modern cryptography was still young. Encryption had been around since forever—from the ancient Greeks of the Peloponnesian War to the rotor ciphers of World War I. But with the advent of public key cryptography in the 1970s, life as we knew it changed. It would allow ordinary people, not just governments, to cheaply encrypt and authenticate messages between parties; transactions as varied as bank transfers and exchanges between journalists and sources could all be shielded from prying eyes.
The most famous method of public key cryptography was called RSA—after its founders, Ron Rivest, Adi Shamir, and Leonard Adleman—which was first described by its authors to Scientific American in 1977. Benaloh was a freshman at MIT when he happened to read that first article at an optometry appointment. The child of activist parents, Benaloh had prodigious gifts in math that were matched by an abiding interest in politics. (As a kid, he spent time in a campaign office for the feminist Bella Abzug.) At MIT in 1981, he signed up for a class on cryptography taught by Rivest. And it was there that Benaloh first began toying with the idea of marrying encryption with electronic voting.
To grasp why this prospect is both so tantalizing and so devilishly challenging, it helps to remember that there are many different kinds of voting. One of them is the method that the House of Representatives has used to pass legislation since the early 1970s. Inside the Capitol, members of Congress cast their votes on a custom-designed machine by inserting a special ID card. When their name appears onscreen, they can choose Yea, Nay, or Present. Then they remove their ID card, et voilà—democracy.
As hardware and software go, the machines that tally Congress' votes are the opposite of secure; hacking them would be child's play. So why don't the North Koreans tamper with congressional votes? Because of what hangs above the balcony on the chamber's south wall: a giant electronic display board, the world's most boring jumbotron, where votes are displayed next to every member's name. A congressperson whose vote was hacked need only lift their eyes to catch the mistake, raise a hackle, and correct the problem.
Wouldn’t It Be Great if People Could Vote on the Blockchain?
Well, for starters, stop calling it "the" blockchain.
Believe it or not, American public elections operated in much the same way until the late 1800s. They took place in mass public gatherings—not private deliberations of conscience, but large and boisterous affairs. Often, farmers or laborers chose between rival candidates' crowds as a poll clerk counted heads, and onlookers cheered and hissed. If voting still worked this way, running a trustworthy election would be a cakewalk. “It would be easy,” says Ben Adida, another acolyte of Rivest who has worked on cryptographic voting. “You'd still use computers. But trusting them would be simple. You could just put up a big spreadsheet of how everyone voted.”
The reason we can't is maddeningly simple: the secret ballot. By the late 1800s, vote selling and coercion had become so rampant in electoral politics that reformers stepped in. The secret ballot, appropriated from Australia, became their main weapon against corruption and graft. If Bob's ballot must be anonymous, then he can't be bullied or bribed into voting for Alice's candidate—because Alice can't check to make sure Bob followed through on the bargain.
This system of secret ballots had a profound consequence, however: If a voter can never share their ballot, they can never verify it either. The moment your vote is cast, it becomes dissociated from you, indistinguishable from the others in a stream of paper. You can never know if your vote was counted, or counted accurately—whether your ballot sailed through, got jammed in the machine, or was abandoned in a lobby with a sack full of other votes (as happened in Connecticut in 2010).
In short, modern elections enshrine privacy at the cost of transparency, and try to compensate for the loss with a host of bureaucratic patches: voter-registration schemes to prevent people from voting twice, tally systems that ensure the number of voters matches the ballot total, and centralized polling places where rival election monitors can scrutinize the proceedings, all to impart legitimacy to a system of vanishing ballots. “If you want to understand why elections are hard, it's because of the secret ballot,” says Adida—that's the single variable “that introduces all of the operational complexity and trust.” Not for nothing did a leading technology conference recently declare voting the “hardest problem in IT security.”
At MIT, Rivest tossed a paper onto Benaloh's desk that contained a clue to how that problem might be cracked. Mathematicians had noticed something funny about the structure of RSA encryption, which Rivest suspected might have beneficial uses. When a piece of text is digitized, it's rendered into a series of 1s and 0s; and when it's encrypted, those underlying 1s and 0s are transformed, through multiplication with a very large, randomly generated prime number, into what's called a ciphertext. What the mathematicians had understood was that when two ciphertexts are added or multiplied together, the result maintains a stable mathematical relationship with the original, unencrypted “plaintexts”—a relationship called a homomorphism. Say you wanted to add 2 + 4. This homomorphic principle allowed you to encrypt those two numbers, then add them together without decrypting them, and the sum would be an encryption of the number 6.
Benaloh's curiosity was set ablaze; he quickly understood that homomorphic cryptography, as it came to be called, had a perfect use case: voting in elections. On its face, traditional cryptography would seem pretty useless in an election, given that encrypting a vote is like sticking it inside a lockbox. How do you tally votes trapped inside a sea of lockboxes, which can't be opened and can't be seen? But an election, of course, is most fundamentally a process of counting votes—of adding things together. Homomorphic encryption made it possible to tally a set of votes even though they were encrypted. And at the same time, it unlocked a host of other benefits.
In 1987, Benaloh's thesis at Yale spelled out how a homomorphically encrypted voting scheme would come to life. First, voters would need access to a machine that could perform advanced cryptography. When they cast their ballot, each digital vote would start out as a simple binary—1 for Biden, 0 for Trump—but its ciphertext might be thousands of characters long. Rather than send voters home with a binder full of hexadecimal gibberish, the computer would print the ciphertext as something much smaller: a hash code, much like how a URL is shortened into a Bit.ly. That would serve as the voter's unique receipt, which they would keep and carry away with them.
At the end of the night, when the computers stopped whirring, all those encrypted votes would be added together. A small number of election officials—the county clerk, the secretary of state—would possess a key that allowed them to decrypt the sum. They'd compare the columns of votes for each candidate and reveal the winner.
Thanks to the nature of the math involved, those resulting sums would also be verifiable by independent outside observers. After the election, all the encrypted votes could be posted on a public, online bulletin board for all to inspect. Using a set of mathematical operations called Chaum-Pedersen protocols, auditors would be able to crunch all those ciphertexts to arrive at what cryptographers call a non-interactive zero-knowledge proof: “Proof that the vote is correctly captured,” Benaloh explained, but without any way to know whose ballot said what.
But the thing that excited Benaloh most was what this scheme would mean for individual voters. When a voter left the polling place, clutching a receipt that bore their unique hash code, they could go home and perform a search for its twin among all the encrypted ballots on that massive public bulletin board. For the first time, elections would not only be verifiable, but people could be certain whether their specific vote had been counted, all without violating the secret ballot.
Crucially, Benaloh was not setting out to design an “unhackable” voting machine, an idea he regarded as a chimera. “We don't know how to build bug-free code,” he says. Instead, what homomorphic cryptography offered was a beguiling twist on the congressional jumbotron. While the Russians or Chinese might wish to hack such a system, little would be achieved in the effort: In a network whose votes are rendered as gibberish, how could you know whose votes you stole? Moreover, should Fancy Bear attempt to delete 30,000 ballots in Milwaukee, the verifiability protocols meant they would be caught, probably minutes into the act—a downstream effect of giving voters a receipt to track their ballot from home. “The whole notion of end-to-end verifiability is not to say that a system can't be attacked,” says Benaloh. “Rather than ‘prevention,’ it's all about detection.”
For the first time, elections would not only be verifiable, but people could be certain whether their specific vote had been counted, all without violating the secret ballot.
His paper, he says, was “just a small step” in the broad scheme of cryptography. But that step contained the kernel of a radical notion. Since RSA, nearly every aspect of life had become verifiable, from the groceries we bought on our credit card to the suspicious-looking stereo we didn't. It seemed odd to Benaloh how few people had thought the same way about voting—what seemed to him like an act of public faith, when it should be a process of verifiable math. In 1994, Benaloh went to work for Microsoft, where he put his voting proposal on the shelf. But for the next 15 years, he never stopped evangelizing about homomorphic cryptography to any person who would listen.
One of them was Dan Wallach, whose crusade against unsafe voting machines was already underway. In 2007, Benaloh and Wallach discovered they were both at the same technology conference—convened in a sprawling castle near the Germany-Luxembourg border. On a forest hike, Benaloh relentlessly pressed his idea for more than an hour, just long enough for Wallach to get his head around the concept.
By then, Wallach had been involved in some of the most damning research on DREs, including a major investigation by the state of California. He was fixated on preventing malware from getting in. He had never considered a voting system that, by its nature, wasn't worth hacking in the first place. “That,” Wallach says, “was the turning point.” He became a convert. With his grad students, Wallach even built an experimental system called VoteBox, a bubble-gum-and-band-aid project that replicated the homomorphic approach.
DeBeauvoir knew none of this history when she turned up in San Francisco in 2011. When she extended her hand from the podium, beseeching the room's technologists to build a new system, Wallach and Benaloh locked eyes from across the room. “Are you punking me?” Wallach recalls thinking. In the laggardly world of elections, he says, “this just never happens.”
The truth was, DeBeauvoir had no interest in reinventing elections. She was simply tired of feeling trapped by bad technology. “I got angry,” she says. “The election vendors pissed me off.” So did the math professors, “wasting all that brainpower.” She had no clue a system like Benaloh's was even conceivable. But she sensed that her predicament was unconscionable: Google was busy building self-driving cars. How was it that our voting technology was routinely hacked by grad students?
A week later, DeBeauvoir called Wallach. Would he lead the design for a new kind of voting system? Wallach agreed on one condition, which he put in the form of a question. “Can I bring some friends?”
WHILE NEWS ABOUT the project spread in the elections world, Wallach started to assemble a posse. Exactly what they would be building, no one was quite sure. But the goals of the design were laid out early—a voting machine that would be secure, transparent, auditable, and reliable. They called it STAR-Vote.
The team that Wallach put together was like a fantasy sports roster of election security luminaries. Benaloh, still at Microsoft, would be the lead cryptographer. A host of interdisciplinary players would join him. One was Philip Stark, a statistician from UC Berkeley who had invented a ballot auditing system, called risk-limiting audits. There were professors specializing in human factors, the psychology of how voters interacted with machines—the types who could have predicted the hanging-chads fiasco from a mile away. Then there was DeBeauvoir and her team of clerks, who could guide the group through the vagaries of election administration.
But it was when MIT's Rivest came on board that everyone understood the group had reached an ethereal level. When word of STAR-Vote reached an expert in homomorphic cryptography living in Brussels, Belgium, he was so excited that he copped for a plane ticket and, as Wallach tells it, “flew his ass to Austin.”
The team assembled for its first meeting in Austin during the spring of 2012. They gathered in the county courthouse, a solemn art deco building on Guadalupe Street, and piled into a conference room. Things got off to a slow start. A chill still lingered between Wallach and DeBeauvoir. “We needed to break the ice. He'd been ugly to me,” she recalls. But when Benaloh began scrawling diagrams on the whiteboard, they were off. The marathon weekend lasted four days, with little sleep and raucous debate, punctuated by beer-infused dinners at barbecue joints around town. “By the end of the weekend,” says Wallach, “we had a design.”
That design looked a lot like a typical voting machine. It included a screen interface from which voters could print a ballot for review. The software came with Stark's automatic audits baked in. There was a paper trail. And the code would be entirely open source.
The defining riddle, however, was how to convince voters to trust the encryption at all. It would be utterly alien to watch a candidate's name snap into a series of numbers and letters—the hash code that would appear onscreen, and later on their printed receipt. Would voters believe it was their candidate underneath that ciphertext? Benaloh's answer to the problem was a “challenge” system. Once the voter had finished at the machine and printed out their encrypted paper ballot, they could either cast it in the ballot box to be counted or they could “challenge” it by taking it to a poll worker who would mark it as “spoiled.” Then the citizen would vote again. After the election they could then look up their decrypted, spoiled ballot to see whether the machine had really recorded a vote for the right person.
That design looked a lot like a typical voting machine. It included a screen interface from which voters could print a ballot for review. The software came with Stark’s automatic audits baked in. There was a paper trail. And the code would be entirely open source.
Propagated across precincts on the scale of a national election, the cumulative challenges would add up: If 10,000 people out of 100 million spoiled their votes, the odds that an evil machine could swap your vote without being detected were 0.01 percent.
STAR-Vote also took the idea of verification further. Benaloh wanted to give voters the opportunity to help prove that the outcome of an entire election was correct. Since all the code was open source, a cryptographic verification program could be written by anyone. True, the odds that the average Joe would learn the requisite Chaum-Pedersen protocols were slim. But the odds were better that well-financed groups—like the League of Women Voters or the Republican National Committee—could build their own in-house verifiers. They might be apps or web programs, which could be distributed among the groups' members. Voters could run the program and see for themselves that the tally was accurate.
The innovation struck its designers as well suited to the divisive currents of American politics. “What it allows you to do is choose who you're going to trust,” says Benaloh. But no matter who you choose, everyone's verifying the same math.
THAT SUMMER, THE STAR-Vote team published their design in a journal. Their ambitions were steep: to develop the country's first publicly owned, open source voting system. Once it was developed, they would make the system available to other local governments—freeing thousands of clerks from the shackles of weak security and the retrograde manufacturers that enforced it.
For DeBeauvoir, this was no theoretical exercise: Her mission now was to build a machine that would pass certification under Texas law, and do it before her Hart eSlate machines were due to be decommissioned. She was gambling her constituents' future on an idea that no one had attempted before. What's more, she told voters that Travis County could build STAR-Vote for cheaper than the machines the manufacturers were trying to sell. “Little old me is going to take on the national manufacturing sector!” she recalls. “It wasn't so much chutzpah as it was—genuinely—we thought we could do it.”
But that would require getting STAR-Vote built. To keep the technology publicly owned, DeBeauvoir's office looked for a partner outside the private market. Immediately, she ran into problems. First she pursued a West Coast nonprofit. Then she tried the state government, pitching the idea to a publicly funded tech incubator. But in an email, she was informed that Texas counties shouldn't be investing taxpayer dollars in an open source design simply to “put the product out for the world to copy and use.”
By the end of 2014, DeBeauvoir still had no takers. Throughout the next year, she chased down a medley of financial suitors: the Ford Foundation, the Pew Charitable Trusts. She badgered Lloyd Dogget, Austin's US representative, to see whether Congress might chip in. She explored social impact bonds. She flew some officials in from Los Angeles who were also thinking about designing their own open source voting system, and proposed that they double up. They declined. She couldn't get other clerks interested either. Once, she and Wallach drove to a Texas Association of Counties conference to press their case. “Quite frankly,” she says, “they were a little intimidated by the level of math.”
As the 2016 election loomed, DeBeauvoir was becoming desperate. The STAR-Vote team continued to fly into Austin for strategy sessions, tweaking the design and searching for solutions. DeBeauvoir relied on Ben, her polymath husband, as a sounding board and a source of antic brainstorms. She also confided regularly in Wallach. In one email, she agonized that time was running out. “I'm frustrated with how long this process is taking,” she wrote. What if the county's eSlate machines started to break down? “No funding and no available replacement voting system would be a terrible predicament.” Later, she fretted that she might be the source of the trouble. “It will be obvious that I am such a newbie at this,” she wrote. “I don't want my inexperience to hurt STAR-Vote.”
Finally, it became clear there wouldn't be money for a publicly owned system. The STAR-Vote team decided to solicit bids from the private vendor market. DeBeauvoir was reluctant to cast the project's fortunes with the companies whose security weaknesses and lack of transparency had put her in this predicament to start with. But during 2016, just as Russian hackers had begun poking around DNC servers and state election websites, DeBeauvoir began work on a request-for-proposal announcement.
Sign up for our Longreads newsletter for the best features, ideas, and investigations from WIRED.
When the document finally went out to potential bidders, it was unlike anything that had come through the fax machine in the elections market. It spelled out the math for a random number generator and the specs for a 16- to 20-digit originating hash code. DeBeauvoir was optimistic. “It took us three years,” she emailed one colleague. “I anticipate getting a variety of responses to build it. At least I hope to.”
All that hope, however, was misplaced. In the winter of 2016, 12 dismal responses came back. One company, ES&S, flatly declined to build the machine and politely steered DeBeauvoir to its standard brochure of offerings. Another proposal, obtained by WIRED, came from Hart, the company that had previously sold DeBeauvoir the eSlate; the company simply offered up its existing model with a few perfunctory modifications, and with palpable uneasiness toward its open source requirements. Wallach called the proposal a “check-the-boxes” exercise. DeBeauvoir had hoped to cobble together a system from a hodgepodge of proposals. But, she says, “there wasn't amongst all of them a single proposal that could build it.”
Or perhaps it was more accurate to say they wouldn't build it. As a report published by the Wharton School of Business would reveal that same year, the election technology business was a heavily consolidated industry—a cartel, essentially, of just three vendors, all owned by private equity firms—that was starved for profit and all but incapable of innovation. Subsequent research suggested that the companies earned their most stable revenue through a maze of fees: maintenance, upkeep, software licenses. Their core business model seemed to involve locking clients into relationships of “ongoing annual payments.” Small wonder, then, that the firms hadn't leapt to DeBeauvoir's idea of building a machine with open source code that aimed to liberate local governments with cheap, self-sustaining technology.
Now things had turned dire for DeBeauvoir. “I could hear the voices of the critics,” she says. “You're just a fool!” In a last effort, she threw a Hail Mary: She formed her own company to house STAR-Vote as a nonprofit LLC. It was a measure of pure devotion, and also a reflection of the absurd dimensions her dilemma had taken. “What I didn't realize was, basically, I was becoming a startup,” DeBeauvoir says. “I was setting up a whole company, a whole product line, a whole dual budget and development system.”
By that time, however, Travis County's eSlate DREs—the machines Austin had been using since 2001—were about to hit their expiration date. Finally, in October 2017, she relented. “I had nothin',” she says. She contacted one of the big vendors and began negotiating for a new fleet of machines. They would last until 2030. STAR-Vote was effectively a dead letter.
DeBeauvoir had been trying to build STAR-Vote for six years. “We worked so hard, for so long. And then it was just—” She pauses. “I just couldn't push it anymore.” DeBeauvoir laughs. “Even stubborn wasn't going to work.”
During the middle of her negotiations for a new contract on voting machines, DeBeauvoir received a horrifying call. Her husband had suffered a massive heart attack. DeBeauvoir rushed out of the county courthouse. But by the time she reached the hospital, he had died.
Not long after her husband, DeBeauvoir lost her mother too. “It was the worst year of my life,” she says. Ashen with grief, she experienced a sensation she had long forgotten: despair. “All I had ever done was fight back. And I couldn't reach up and grab this one by the throat,” she says. For the first time since she was a little girl, she felt unable to cope.
Ben's death detonated like a bomb in DeBeauvoir's life. But when she searched her feelings, she was startled by how much grief also came from the death of what she saw as her life's work. “Ben, mother, and STAR-Vote,” she says. “That losing STAR-Vote would be up there so high—that surprised me.”
“Now I tell myself the truth,” she says. “Maybe it was always doomed.”
IN THE WINTER of 2017, shortly after STAR-Vote was declared a loss, Josh Benaloh was sitting in his office at Microsoft when he received an email from unusually high up in the chain of command. A team from the company's Legal and Policy Division wanted Benaloh's advice on a sensitive idea, which hadn't been made public yet.
Benaloh worked at Microsoft Research, the corporate Goliath's private Darpa. There he could quietly tend the flame of his interest in elections, but mostly he worked on other problems. Every once in a while, he'd pitch his superiors on cryptography and voting, but got little interest. Eventually, he understood why. “There's no way that it makes sense for Microsoft to make a business out of elections,” Benaloh explains. “Elections are a tiny business. Microsoft is a mass-market software company.” Nor had Benaloh's pathfinding work on STAR-Vote attracted anything more than a cursory thumbs-up as one of a million interesting things going on in a place like Microsoft.
Then, all at once, something happened that completely reoriented Microsoft's stance. “What happened,” Benaloh says, “was 2016.”
As the scope and fallout of Russia's meddling in the presidential election became clear, Microsoft had quietly initiated an elaborate fact-finding process, searching for anything it could do in elections that wouldn't clash with the company's business imperatives. And now the brass wanted to know: Could Benaloh replicate what he'd attempted in Austin, this time for Microsoft? Benaloh's feet were practically out the door before he could say yes.
In 2019, Microsoft launched its project under the name ElectionGuard. Once again, the technology would rely on Benaloh's dissertation about homomorphic cryptography. Voters could still challenge their ballot and walk away from the voting booth with a hash code. But in key ways, ElectionGuard was different from STAR-Vote, especially in how it proposed to solve the problem of private industry. ElectionGuard would be built as a software development kit—a highly sophisticated plug-in, essentially, that would augment existing machines. The plan was to laboriously tailor ElectionGuard to several kinds of election technology, and then give it away to the big vendors for free. Microsoft wasn't becoming a rival so much as it was housing the massive R&D division that voting companies couldn't.
For ElectionGuard, yet another dream team has assembled. Benaloh is leading the cryptography, while Wallach is designing a risk-limiting audit system that would use Benaloh's encryption. The secure systems firm Galois, STAR-Vote's only bidder for its cryptography software, won a contract to assist ElectionGuard. And Microsoft has partnered with a nonprofit called VotingWorks—run by Ben Adida, the other student of Rivest's at MIT—to build the hardware on which ElectionGuard would be demonstrated.
Earlier this year, Microsoft went searching for a real-life election where they could introduce ElectionGuard as a pilot. They settled on the town of Fulton, Wisconsin, population 3,000, about an hour's drive west of Milwaukee. In February, the town would be voting in a tiny primary: a state Supreme Court seat and the local school board. For weeks leading up to the election, a squadron of Microsoft programmers parachuted into Wisconsin farmland, running test votes on dummy ballots with the names of Fulton's favorite sons. (Willem Dafoe was one.) The people of Fulton were only too happy to be guinea pigs. Lisa Tollefson, the county clerk there, has a degree in industrial technology; she was fascinated, not intimidated, by ElectionGuard's math. “You can actually add while it's still encrypted, which is a-mazing,” she beamed.
Not everyone is so thrilled about ElectionGuard. The election vendors have varied in their degree of openness toward Microsoft's complimentary toy. In part, that may be because they know that what's free for them is also free for us—and for the next Dana DeBeauvoir who might come along to build a better voting machine. Indeed, VotingWorks, the nonprofit that built the Fulton demo, has its own ambitions to disrupt the voting industry. The vendors also say that, if they sign on, ElectionGuard will still need to run through a gauntlet of regulatory certifications—an expensive proposition. Innovation is simply harder under a mountain of regulation. “Like Silicon Valley, we'd like to ‘move fast and break things,’ but we do not have that luxury,” said a spokesperson for the vendor Hart. (Microsoft says it is optimistic that all three vendors will eventually jump aboard.)
Subscribe to WIRED and stay smart with more of your favorite writers.
Remarkably, some other skeptics can be found on the teams that designed STAR-Vote and ElectionGuard itself. Philip Stark told me he wishes he'd pushed for a radically different design on DeBeauvoir's project. Sure, Benaloh's system allowed for easy detection of fraud; but what would happen when you did detect fraud? You could rerun the election or conduct a massive audit, unleashing chaos in either case. The perfect knowledge afforded to voters by ElectionGuard might draw an even bigger target on elections, Stark speculated, especially for hackers who simply wanted to cause confusion and undermine trust. Another conscientious objector was Adida, the guy who was literally building the hardware for Microsoft's demo in Fulton. With some heartache, he had concluded the field was moving too fast for its own good. What voters really needed was an affordable machine that worked. Would they even show up to vote on a system they couldn't really understand?
At 8 am on an arctic-cold morning, voters in Fulton began shuffling into their squat town hall. Benaloh was on hand, along with several others from Microsoft. Wallach beamed in over Zoom. One by one, voters stooped over the machine, printing two sheets—a ballot and a hash code—before they fed their vote into the tabulator and left with a strange new receipt in their hand. In all, 398 came and went. Fulton would keep track of the paper ballots, then match them against ElectionGuard's encrypted tally.
When the polls closed at 8 pm, Benaloh and his programmers hunched around a computer, running the Chaum-Pedersen protocols and poring through the data. By 9, they had a verdict: The paper ballots and the program were in perfect unison. ElectionGuard tallied the vote flawlessly. “It was 398 votes. I sweated bullets over those 398 votes,” one of the programmers, R. C. Carter, told me. Convinced he had just seen the future of American voting, Carter—who has worked in tech for years—describes the night he spent shivering in Wisconsin as “one of the peaks of my career.”
Among the team, everyone knew whose shoulders they stood on. “The Fulton demonstration was the modern interpretation of STAR-Vote,” Wallach says. Benaloh saw things the same way. “STAR-Vote was not a failure,” he says, and DeBeauvoir's efforts hadn't been wasted. “She deserves tremendous credit for this.”
No one will be voting with ElectionGuard in November 2020. “This is long-term for us,” says Benaloh. “If we get a significant use in 2022, 2024, and beyond—we're happy.” But this election makes it particularly easy to see the appeal of a voting system built for verification and trust.
Of course, a complicated new homomorphically cryptographic reinvention of the franchise is not going to assuage this crisis of trust overnight. One person who knows all too well that trust is more than an encryption protocol is DeBeauvoir—who has spent the summer and fall managing an election for which she knows no precedent. “It's not a good situation in Texas right now,” she sighs. “They are fighting tooth and nail down to the last sick voter, trying to prevent people from voting by mail.” Requests for mail ballots have skyrocketed, and DeBeauvoir has been busy concocting ways to outmaneuver the obstacles to those votes. “It's really going to hurt voters if I don't do something,” she says. But just as quickly, her ardor returns: “I'm working on it.”
As for STAR-Vote, DeBeauvoir seems content simply to know that her efforts were of use. “It's not my baby anymore,” she says, laughing. But she's revised her sense that the project was always doomed. “We were a little ahead of our time,” she says slyly. “That was the only mistake we made.”
Benjamin Woffford (@BenWoffordDC) is a staff writer at Washingtonian magazine.
This article appears in the October issue of WIRED. Subscribe now.
Spread the word