Your independent source for Harvard news since 1898 | SUBSCRIBE

Magazine cover for July - August 2020 issue.

Your independent source for Harvard news since 1898

Right Now | Election by Encryption

Secret Ballots, Verifiable Votes

May-June 2010

Ben Adida

The typical voter experience, as Ben Adida sees it, involves too much trust. “There is a disconnect the moment you drop off your ballot,” says the fellow of Harvard’s Center for Research on Computation and Society and faculty researcher at Harvard Medical School. After a ballot is cast, voters can only wait for the results to appear on their smart phones, or on the evening news. Whether their own votes have been counted is never known, because they have entrusted a series of poll workers with their ballots. But “In voting, you cannot trust any other party,” says Adida. “And you have to be able to be confident that everyone’s voice has been heard.”

His solution is an online voting system called Helios that allows voters to track their ballots and opens the results for public auditing. Adida, a self-described “tech and policy geek,” began building voting systems in 1997 as part of an undergraduate research project, well before “hanging chads” entered the American lexicon. He has been working on Heliosnamed for the ancient Greek sun god as a nod to the system’s intended transparency—for nearly two years, and is on his third version of the open-source system, which will be made available to the public this summer.

A typical vote via Helios requires filling out an online ballot and then clicking a button that encrypts the vote, masking its content. Voters then receive individual tracking numbers—‘fingerprints’ of their votes; finally, they submit their votes by verifying their identities. In most cases, this is done by logging into an external platform that is appropriate for the election: voting for a Facebook group president, for instance, might require a Facebook login; electing Harvard’s student body president, a University PIN system login. To double-check that their ballots have been counted, voters can then go to the election’s ballot-tracking website, which allows them to match their specific tracking number to their name. 

There is another layer of confirmation: a crowd-sourced verification measure called open auditing that allows anyone access to the election data. “We’re not expecting every voter to be able to handle the auditing—you’ll need someone who knows some college-level math to do it,” says Adida, who admits that this is one of the chief criticisms of any such system. “But you expect every candidate, at least, to have access to one person whom they trust who is able to do the math.”

Adida notes that Helios in its current form is not ready to handle elections for public office, even at the local level. “A government election is something that you don’t want to do over the Internet,” he says, citing both the potential for computer viruses to corrupt the voting and the possibility of voter intimidation. “I don’t have an expectation that Helios ever becomes the system for government elections,” he explains, “but I hope it paves the way for the open-audit system to become the standard in 10 to 15 years.”



For now, he is happy to demonstrate Helios where the stakes are a bit lower. The campus-wide election of a president for Belgium’s Université Catholique de Louvain last March offered a perfect opportunity. Because of pre-existing tensions, a significant number of blank ballots were cast as protest votes, and neither of the two candidates won the majority needed to claim the presidency, though one fell short by just two votes. “We’re pretty sure that in any other voting system, [the electorate] could have said, ‘Oh, you didn’t count right’ or ‘You lost a couple ballots,’” he says. But when third parties—including one affiliated with the candidate who fell just short—verified the election, there was little room for dispute. “Nobody argued and nobody complained,” Adida reports. The high level of precision in the system forced the university to run another round of voting.

Helios played a similarly useful role in Princeton’s student-government elections last fall. On the second day of voting, a second official e-mail went out reminding all students to participate. When one of the candidates for president, a sophomore, realized that very few of his friends had received that message, Adida began to graph the voting patterns by class year. He saw a large spike among all classes after the first e-mail reminder, but a much smaller spike, comparatively, for the sophomores after the second. An internal investigation found that the administration’s e-mail database had been corrupted, resulting in reminders being sent to only 15 percent of the sophomore class. “We were able—in the middle of an election—to determine that something had gone wrong in notification, and that it was indeed unfair to one of the candidates,” Adida says now. After a quick rebuilding of the e-mail database and another notification, the sophomore candidate won by 41 votes.

Besides offering greater precision, Helios is about getting people comfortable with a new way of voting, says Adida. “My long-term goal is to introduce a different process of voting, where people are used to having a tracking number for their vote and checking it online,” he notes. “Until people see the power of that in their elections for, say, the board of the condo association and at their place of worship, they’re not going to be clamoring for it.” 

Adida sees his work as enhancing individual citizens’ control—a goal equally important in his medical-school research: he is the lead architect for Indivo, a personally controlled health record (PCHR) that offers users digital, Web-based management of their medical data. “Do you control your medical data or are you hoping that the medical community does the right thing? Do you control the results of an election or, again, are you giving up that control and trusting someone else to do the right thing?” he asks. He notes that many people are progressively yielding more and more control of such data to Facebook and Google because of the convenience and connectivity they offer. “But maybe,” he suggests, “for certain applications, we want to tilt the balance back to us getting control over our data and our lives online.”