One important thing about any voting system – digital or not – is that it has to be good at producing agreeable consent. That means bitter, betrayed and hurt (but reasonable/democratic!) losing parties need to be able to say: yeah we accept the result because we are confident in the outcome of the election.
This is something all digital systems are really bad at, even if everything is readable and verifiable, unless all your members know how to read that code.
Edit: and even if they know how to read that code, can they trust the machines are running that code at the big day?
Non-digital systems have claims of fake ballots being inserted all the time. I don't think the answer to people being suspicious of digital systems is to abandon them. It's to either disprove their suspicion or add controls so they become disproven.
Yeah but a ballot cannot potentially change the number of papers within it depending on who is looking and when they are looking. If your stupid mate from the pub questions the results he could literally look inside the box with a paper ballots and see if the votes are significantly wrong. If you let him guard the ballot box for the duration he could even see that nobody swapped the ballots. Try that with a computer.
Paper ballots also having problems isn't an argument for even more complex systems, it is an argument against it.
With analog voting you can at least count people coming and see their ballots when tallying. With digital systems this is typically a black box where you have to trust the government.
Precinct-only elections don't quite have this problem because all the people voting are neighbors, and the poll watchers and ballot counters are all neighbors. Hard to engage in shenanigans when the people watching are your neighbors!
Right: most systems with paper ballots are simple enough that the vast majority of the electorate, including those with lower-than-average IQ's (50% of the population), can understand and could participate in if they were inclined.
I have yet to see a digital system that I would trust myself to validate, much less the non-technical majority of the public.
Disagree. It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote. Not everyone needs to be an expert at anything. I wrote more about this trust aspect in the appendix of my thesis on voting: https://attejuvonen.fi/thesis
Yes, but then all that's needed to attack the voting system is to trot out your own experts that voice disagreement. Without the means to assess the system for themselves, voters will lose trust in it. Especially in this day and age, when trust in institutions and expects in general is extremely low. (Heck, this attack already works to some extent with the current, extremely transparent system of ballots)
As a software developer myself, if an "independent expert" comes out and says that some software system is fully verified, I might trust their allegiance, but I probably won't trust their competence.
I wouldn't expect the general population to trust them either.
> It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote.
I don't agree. This is plausible within a coesive electorate, but it feels like moving the problem. What guarantees that the experts are trusted by the voters? And more importantly, assuming that at some point the system (experts) is trusted, how is the trust in the voting system retained over time? (e.g. in case of disagreement over the results)
I have argued in another thread like GP that because the ultimate purpose of voting systems is to collectively take decisions, and because disagreements are very common when deciding, the system needs to be able to justify itself to retain the electorate's trust. Otherwise it will eventually be replaced by a different voting system (or tyranny).
A proxy for this is of course simplicity. If the voting system is clearly understood by everyone, it is more easy to persuade a losing party that the outcome is correct. Conversely, if a voting system needs high expertise to be understood, it is more difficult to bring everyone to agree on the result. So the latter is less robust than the former, especially if the disagreement is over a result that is close to a tie. A self-correcting mechanism is important to keep the voting system in place.
In appendix B of your thesis you raise an interesting point I had not considered.
> As an extreme example, consider the case where a voting system
lacks verifiability, is trusted by the public, and is compromised by a
foreign superpower: the people have lost their democracy and do not
even realize it. Compare that to a hypothetical case where a voting
system has perfect verifiability, thus can not be compromised (without
triggering a new election etc.), and, for whatever reason, is not trusted
by the people.
> Clearly, the outcome where people are suspicious of a perfectly
functioning voting system is superior to the outcome where people
are blindly trusting a compromised voting system. We hope that this
outlandish example is enough to support our argument that verifiability
is more important than trust.
The external threat is a very valid point but I do not think that this is sufficient to absolutely conclude that verifiability is more important than trust. If the system is rigged, it may eventually displease the electorate to the point that it will eventually be replaced.
Unless, the rigged system doesn't displease the electorate and is essentially a hidden benevolent dictator, which would be an interesting situation. Only in that case verifiability could unambiguously be more important.
The experts from Belenios do not recommend to use remote e-voting for high-stake elections [1]. Some issues they mention are the risks that the users sells their credentials or that a malware on their computer leaks who they voted for.
As a person who's from a country with, let's say, VERY VERY contested, controversial and eventful elections, the fact that independent poll watchers from different parties and NGOs can independently observe ballot boxes, take photo evidence of countersigned and publicly posted box tallies to send them to their HQs, and then compare and contrast results amongst each other as well as with the official results is a huge boon for transparency and trust in the electoral system.
It's not perfect: more remote and less popular areas go unobserved, and what happens after an official complaint is made is anyone's guess.
But at least almost anyone can add up numbers for themselves and come to a conclusion about what to trust and not trust. And you might think no one would bother, but in my brief experience as a volunteer poll worker they surely do, and zealously so. I can't even begin to imagine what'd happen if the paper ballot was replaced with "trust us, the machine says 37 for party A" or "the magical fingerprint number you don't understand says this ballot was cast for someone else".
It's not enough. It's not enough at all. Experts are easily compromised.
The system by which power is transferred from the people to representatives needs to be literally self-evident. Any system that the "average voter" cannot understand should be literally unconstitutional. Deviating from this puts the results of all elections in doubt. People will question the results, and they will have a point because the system is not actually verifiable and trustworthy to the average person and therefore they have no reason to accept the results. If you're lucky you'll end up with numerous political prisoners at the end of the whole process.
> Disagree. It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote.
It's interesting how attitudes about digital voting seemed to flip overnight once Trump challenged the 2020 election. Beforehand there as a lot of serious concern about the trustworthiness and security of digital voting machines, now I get the impression that's all been muted and its taboo to do anything except trust the authorities.
I think in your thesis you make some interesting points on how E-Voting systems differ. But I have critizism. Let me paraphrase your points:
1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome
2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity
3. People understand the paper ballot system, but there are some statistical checks and security measures that they don't understand or know of, so their knowledge of the paper system is superficial
4. Trust in voting systems does not primarily arise from understandability but from trust in other people. To quote: your grandmum doesn’t have to become an expert cryptographer in order to trust a system like X. She just has to believe that cryptography experts exist and at least one of them would speak out if this transparent voting system was not as secure as the election officials claim
I don't want to question your thesis here, but I teach electronics and programming at a University level and points 1 and 2 are ridiculous and maybe even disingenuous. Sure, I understand that for a certain type of mind a digital/electronic system feels less ambigous and more clear. But most people are not like that – not even among academics – not even among academics that involve themselves with technology.
Point 3 is a rethorical trick that – if applied equally to E-Voting would be a strong argument against it. Yeah sure people don't understand X completely so lets do Y which is one-thousand magnitudes more complex is not an argument in favour of Y even if phrased in such a way.
Point 4 is the actual thought we disagree about, but given the unscientific nature of the 3 arguments before I can't simply trust you that you did research here (there are no sources cited that strengthen your point either). So as it is you just stated the opinion, as I stated the opposite. Sure, paper ballot elections are not dead simple, but any living being with basic understanding of object permanence could veryify a ballot isn't manipulated by just standing next to it. Meanwhile with computers you have to delegate that trust. And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.
The important thing to understand about agreeable consent is that a person's willingness to subject themselves to the will of a democratically elected majority is directly linked to their trust into the process. Your voting system has to produce that trust even if voters don't want to trust the process. The surest way to do that is to get a part of them involved into the process – ideally not always the same people. If then a single poll watcher claims a thing and 400 others that have been present plus three trusted NGOs can claim otherwise the election is not in question. Someone will have to convince me this works for E-Voting with a bit more than rethorical tricks.
Note that I am not against E-Voting per se. I just don't think the highest stake elections which have the potential to shift political powers should be electronic/computerized.
Agreed. One of the most common objections against democracy is that popular vote does not select for competence and therefore our politicians are not acting in the best interests of the population.
That isn't actually what voting is meant to do. The purpose of democracy is to kick out the old guy and stop the concentration of power by rotating the people in power frequently. The problem is that when you get rid of the old guy, you also need people to agree and consent that the new guy is indeed the new guy.
No, that's wrong. Democracy is a process involving the entire population of a country. A vote must be a process carried out by individual citizens to be trustworthy; if we delegate that to machines maintained by the government—because nobody else would be able to do so both trustable and professional—we'd create an incentive for the government to manipulate the system to stay in power.
If, in turn, elections are organised as distributed, local, and highly public countings, that get aggregated up to the final tally, citizens stay in control of their votes. Poll workers in a county may not count the votes of another county themselves, but they know there will be other volunteers all over the country doing so. It is extremely hard to manipulate a large-scale movement of politically inclined volunteers, and they can rely on that.
We cannot hand control over the vote to the government we possibly want to vote out. By reducing the massively distributed trust to a handful of computer wizards, we remove transparency from voting, turning it into a sham event that can be orchestrated by those in power to their liking.
One question: How would a machine have to look that you use in a high stakes process, that someone else (potentially your adversary) purchases and setups and that you and the majority of the electorate can be able to trust?
Elections with paper ballots are somewhat straightforward in that regard. Any party member that doesn't trust the process can literally apply to check part of it and be able to see for themselves that there is nothing fishy going on in the part they checked. And they can do that with nearly no prior expertise. If they don't get to check it for themselves they can trust that enough people like them are envolved in the process that someone would collect evidence of wrongdoing if it happened. And these people are normal people and many, so bribing them doesn't make sense. Adversaries that want to make that election untrustworthy would have to insert so many people at so many steps and at such number, an attack against it quickly becomes impractical.
Not with a computer system, I am not even sure if I would trust a system that I myself setup and software that I myself had written if used in a high stakes election. But the few experts that are able to verify the process and have the computer knowledge to do so without naive optimism now are high stakes targets and each party now needs to have one at each polling station at some point after which the machines (air gapped?) need to be completely isolated unless you want that verification to become meaningless. The voter now needs to trust the expert and for a hint about how well that works I want to point you to the Covid pandemic.
So digital voting is a non-trivial problem to solve, especially for high stakes, anonymous, but transparent elections. And we computer people can't just hand-wave the doubts away, you need to address each attack vector a major nation state attacker could/would exploit. And even if we did that the result would be a system that nobody without special education could understand.
Sure, paper ballots are slow and the process lengthy and labour intensive. But the results are surprisingly stable and trustworthy even in many places where one would expect corruption and manipulation.
Yea I guess the problem is with a party that is intent on disregarding truth or facts or verifiability or reality is not going to prevail against attacks against the system (unless it is rigged in their favor). What does code matter to them.
The point I am trying to make here is that the creation of that agreeable consent ("I didn't like the result, but I am going to accept it") is easier when the process is tangible and people know that they can understand manipulation, tampering, tracking without an academic degree in computer science and decades of experience in the field.
However no voting system is perfect and 100% consent is next to impossible to achieve. But for major, high stakes elections we have to take any tiny sliver of trust we can take, even if it is at the expense of getting results fast or cheap.
As a young nerd I would've said: "How hard can it be", as an older nerd I understand that the computer part is the easy part, getting people to be able to trust and follow the process is the hard part.
Huh? Yeah, all. I teach electronics at the University level and I know:
1. How hard it is for already highly educated people to understand electronics and programming
2. What kind of complexity is needed on how many technological layers to just even have it work reliably and how much more complexity is needed to have it formally variable and tamper-proof
3. How many attack vectors exist in such systems — many of which mean a single motivated and skilled attacker could exploit on grand scale
All of that necessarily leads to a process that is less transparent than a paper ballot, because there are more moving parts. Your bloke from the pub will be able to understand how to check the integrity of a paper ballot. But of an E-voting system?
In my eyes it is a feature if within a democracy if all participants in that democracy can understand the whole election process.
Personally I love the idea of a fully verifiable election. I do the the current election protocol my county uses is pretty good: you present id in one room, they check your eligibility, then you’re given an anonymous ticket, in another room you vote using said ticket, and get a receipt. You can see your but counted online using said receipt.
There are two problems with this: 1. You can’t verify extra or in eligible voters voted. 2. It relies on trust that to tell you your vote was counted.
I am very interested in reading about this protocol, and it might make a fun hobby to re implement it as a research project.
The one issue I have is: the act of physically showing up is an important one. Mass stuffing of ballot boxes is nearly impossible when physical presence is required. It also puts ‘your ass in the game’, meaning you really care so to speak; as you have to do a minor piece of physical labor in order to get your vote counted.
If this protocol could be adapted to the physical world, I think it would be perfect barring any other issues.
For in-person voting use "fill in the oval" ballots that can be hand counted or counted by offline optical card scanners, and augment that with Scantegrity II [1].
Scantegrity II is a system that adds end-to-end voter verifiability [2] to such systems by combining some clever chemistry with some clever cryptography. It requires no hardware modifications at the voting site except that special markers have to be used to mark the ballots.
Briefly, a code is printed inside each oval using a special ink that is invisible, which turns visible when that oval is marked by a special marker.
After the election all the ballots can be published, allowing any third party to independently verify the counts.
Voters that wish to verify that their ballot was included in the count and counted correctly can note the code from the oval and afterwards use it to verify the count. The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way. Here's a proof of that [3].
> The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way.
What if the vote buyer is with the government and can actually inspect the ballots after voting? Knowing the code is a proof that you saw a specific ballot.
Please forget about showing up physically, it's noble to think of "you really care" but in places with organized crime they have ways to count if those that depend on them come and vote for their "right" choice.
It has been estimated that around 20-30% of IRL votes in Italy follow the organized crimes choice.
Please forget about showing up physically because conflatingl caring* with your ability to do things physically is ableist as fuck, and not all disabilities are visible and/or certifiable.
Please forget about showing up physically because setting up a polling station in a place where there's effectively no public transportation cuts off poor people from voting.
Please forget about showing up physically because mail voting works fine, paper ballots are already anonymous and verifiable, and we don't need to argue about why showing up in person is better for the umpteenth time (or that adding extra friction is not a good thing).
Please forget about showing up physically because that "you really care" nonsense is in the same vein as literally testing, and democracy isn't about excluding voters who don't care enough.
This line of thought is, frankly, disgusting, and I'm ashamed that this is tolerated here.
Why could they not verify against extra or ineligible voters?
If each ticket is tied to a national ID, then you can verify all tickets, right?
To ensure the secrecy of the vote, the votes should not be linked to the tickets. Each voter must verify that his vote has been counted. But once a vote has been counted, using blockchain can ensure that it cannot be undone or changed.
I agree, but we need far more than just some online encryption.
1. We need a sort of blockchain system to make sure nobody can change votes later.
2. Every citizen can deposit their vote with their own key tied to their id number that nobody else has. Everyone should be able to look up their own vote via their key.
3. We need more proof of work, require every booth to record a video of the voter and have a unique physical marker so that the video cant be reused and require voters to write something specific to that location during their video.
4. Proof of location? Require voters to transmit their GPS at all times during the entire election day. Then at least group voting (beyond faking your own family members' votes perhaps) should be impossible and multi voting should also be impossible.
4. Make sure that the counting of ballots is instantaneous so that the cheaters have less room to cheat.
5. Proof of time? Surely we should be able to simply use time to our advantage, given that somebody who wants to cheat on a mass scale inherently has less time than the individual voters?
Maybe all of it together, we have so much data about citizens in most countries. It should be absurdly easy to have a citizen be forced via GPS to vote from his area or even his building where he is registered to live before he starts going to his local voting booth. This would give us a lot of confidence that this is really a separate, real person and also the person in question.
We need to use what we have to our advantage. People may be able to fake a lot of things but all of them? I rather trust a complex system like this than literal pieces of paper where any person with a bad mind can just choose to read it differently or stuff a few extra pieces of paper somewhere.
Personally I think the biggest flaw in any online voting system is that a network-connected computing device cannot be trusted by any party. Email inbox can not be trusted or verified. Such a simplistic online voting would never stand a chance against malicious actors who are somewhat more sophisticated and creative.
The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot, but it will never be an effective system on top of the current network architecture. You have to show up personally to vote. Like can you imagine voting with SMS or something? This is complete non-sense.
However I think this tool would work pretty good on a smaller community scale.
In practice, I think that there are a number of fairly high quality voting systems available. A key part of that is maintaining a secret ballot.
1. Widespread voting in person at a number of distributed sites, with paper ballots and either hand counting or machine counting with risk limiting audits. This is pretty technologically trivial to implement, but requires manpower.
2. Widespread postal voting as it's done in places like Oregon, where there's a non-serialised ballot inside a serialised envelope. All voters are sent an envelope and ballot via postal mail, and the return can be done at either a drop box or through the postal system. On election day, all valid envelopes are opened and emptied under the watchful eyes of observers from each party. They are then counted by hand or with machines and risk limiting audits.
What should not exist are voting machines. There should always be a paper ballot in the process somewhere that is human readable.
> The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot,
Why so? It would calculate the hash, and to reverse it back to the original DNA is an irrationally expensive computation. On top of that, voter simply putting a random seed phrase for doing another 650000 pbkdf2 iterations would take this task to close to level impossible – at the same time the ballot itself will remain verifiable by the original voter.
I think there is a niche for electronic voting for low impact decision making. Used as such it could actually make societies more democratic.
Elections that have the potential to shift the power structure of a state are not low impact decisions. Paper ballots being slow and labour intensive is a feature, not a bug for really high stake decisions like who is in charge of a nuclear arsenal for the next years.
The more I know about electronics and programming the worse I think the idea of E-voting is for such occasions.
> Using the web interface, the voter enters her credential and selects her vote. Her computer then computes the ballot, which corresponds to the vote encrypted with the election public key.
Like most (or all?) online protocols, this doesn't protect against vote selling or vote coercion.
I was going to say. AFAIK, no one has worked out a way that you can verify that your own vote was counted, while preventing you from being able to sell your vote.
There are a number of such systems that do this via revoting or dummy ballots. One of my projects, Votexx, uses vote nullification (or flipping) via a trusted third party chosen by the voter.
The general idea for all of these is if you add uncertainty you reduce what a coercer is willing to pay creating a mutually assured destruction scenario whereby the system being in place ensures nobody ever tries it.
The same could be said of mail in paper ballots too, which have seen widespread adoption in the United States starting in 2020, so I don’t think this should be a knock against this system.
You haven't heard people "knocking" about the widespread adoption of mail in paper ballots? They simply offer no protection against vote coercion which is not a good choice in any election of importance. Pretty sure at least one of the two parties has ending mail-in voting as a long-held position.
At the least, this will often result in heads of household voting for their entire families. At the most, it can result in people voting under the supervision of a local gang/militia member.
If anyone is looking for the right terminology to find papers, it's "no-receipt" voting. The holy grail is no-receipt, yet verifiable voting, but it might be mathematically impossible.
How would you prove that you voted how you said you did?
If you took a picture of your ballot, or even if you filmed yourself putting it in the envelope and putting it in the mailbox, there's nothing stopping you from taking it out later, tearing it up, and going to vote differently in person.
The website says that your vote is last-write-wins. I think the idea is I could sell my vote and vote for A, then later re-vote for B. Since you can't trust that I won't just re-vote it won't be worth paying for.
But if you held a gun to my head and made me vote at 18:59, with polls closing at 19:00, then I guess it would work. Hell, if you held a gun to my head and had me vote a week early and then blew my brains out, that would probably also keep me from voting again.
So it's not complete, but neither is the current system. You could hold a gun to my loved-ones head and tell me to go vote for B in our current system. I could photograph the ballot from the box, cellphones are small these days. Or if I vote by mail I could easily prove to you I voted for B so you would let the hostage free.
So I guess it actually is an improvement over the status quo.
You don't need any guns here. Just call your employees and make them vote on their phone in your presense. Also lie that you have people able to see how they voted. Also give them some money so that they feel themselves as accomplice.
In reality private keys will be mailed in insecure envelopes, issued multiple times (just to be sure) or issued to people, who are not citizens, moved away or died.
The government can issue fake IDs and vote in their name. Especially in countries where there are many migrants who receive citizenship, you can easily issue some extra IDs and nobody notices.
I don't disagree, the identity matching and uniqueness problem is a tough nut to crack.
it's worth keeping in mind though that this is an issue the current system faces. voters end up duplicated in the rolls under different addresses or old names, or they don't get removed from the rolls after losing eligibility or dying.
once upon a time I got two voter cards in the mail, one forwarded from an old address. I was eligible in two districts after nothing more extraordinary than moving across town. had to call in to get removed from the extra district.
I think these are technically interesting systems, but "trust" really is the goal. "Verifiability" doesn't necessarily imply "trust," especially if it's shrowded behind inscruable crypto mumbo-jumbo. A voting system should be something voters and poll workers (i.e., local volunteers) can understand.
> especially if it's shrowded behind inscruable crypto mumbo-jumbo
HTTPS is shrouded behind inscrutable crypto, but nearly everyone trusts it with their credit card details.
Voting doesn't have to be any different. The implementation details don't matter, as long as there are easy-to-understand verification concepts such as receiving a "tracking number" for your vote that is then easy to see it was counted. And then journalists and other private election integrity observers who do random sampling from voter rolls and follow up on complaints. (This is not a complete list, just examples.)
And remember, physical voting is actually tremendously complicated as well -- inscrutable optical scanners detecting which bubbles you filled in, and then... what? Who's actually adding the numbers, and where, and how? The point is, the details aren't really important as long as we're vaguely aware that there are election observers and journalists trying to catch any irregularities, and we all know it will be major news whenever they're found.
Ideally you want both. “Trust” is a bit qualitative and includes a lot of factors outside the voting system itself. Just because a voting system is “simple” doesn’t mean people trust it (e.g. Trump voting shenanigans). Obviously just because there are bad actors which can make trust impossible, doesn’t mean you should give up but it is a separate axis to the voting system itself.
On the other hand, “verifiability” is a more useful property on a larger scale. You may trust your local government but do you trust local government in all other districts? What if, with sufficient knowledge you could prove that their voting was right or wrong? I think that also seems like a useful property.
Trust is a social challenge, not a technological one. It is effectively impossible to stuff ballot boxes at scale in the US, but a large number of people still believe the last presidential election was stolen.
You literally have video evidence from 2020 of people driving up with their cars and shoving 100+ ballots into absentee boxes; and you wrote the above with a straight face?
If I had to choose between a broadly trusted voting system which has been secretly compromised by a hostile state actor, or a not-broadly-trusted verifiable voting system, I would choose the verifiable voting system any day.
An image illustrating why this (Belenios) approach is trustworthy could go a long way for many people. Images are a powerful tool for internalizing ideas.
I took a (lazy) crack at generating an image from a (could be 120% incorrect) ChatGPT conversation, FYI:
> vote on policy matters in real time to make things more democratic
Discussion, debades and more generally exchanging opinions with others and pondering the options before committing to a decision are important if not essential for proper functioning of democracy. This necessarily takes time. How would real-time voting make things more democratic? I see no advantage in making the process hasty. If anything, it would trivialize the process, like voting for a game show on television, which would definitely be bad.
We can get to that when we pick the low hanging fruit first.
In Switzerland, they hold votes 4 times per year, in municipal, cantonal and federal referendums.
Talk about any issue you know a lot about to someone who knows nothing about it, and you will quickly understand why more direct democracy is an horrible idea.
Suppose for the sake of the argument we implement such methods that bring the level of security of the digital vote to be mostly equivalent to paper voting (though I do not think this is possible). Then why do you think it would be better to use a harder method of counting votes? I do not see a strong argument to justify the change. The burden of proof is on the new technology, not on the old one that has been working so far.
Voting with pencil and paper is easy, everybody can participate in the voting process and understand it. Also, paper and pencil are more sustainable (can be made from recycled paper and trees, which you can plant, as opposed of mining minerals, shipping, and maintaining thoudsands of computers, with batteries in case there is a power outage).
Not really, one of the goals in contradictory to the stated goal of an electronic voting system of voter verifiability.
The problem is that when you can verify that your own vote has been counted a certain way, that can be used to influence the vote. $100 Amazon gift card if you verify that you have voted Purple. Lack of verifiability has been a feature to prevent a voter from willingly participating in manipulation.
The criticisms in the videos do not appropriately counter the solution in the linked article. Scott's superficial discussion of blockchain at the end misses the entire ethos of blockchain. We agree that servers, devices, software and networks cannot be trusted, and possibly never will be. So we ignore them and instead rely solely on the output. Every stakeholder audits the final official "blockchain" (for lack of a better term) using their own tools, engineers, and techniques to verify its credibility. I'm not claiming that this has been solved, although Belenios seems damn close. But it definitely seems conceivable that we can one day come up with a functional scheme that distrusts the machines as a first principle. What specific problems do you see with the Belenios attempt?
Blockchains are only verifiable and reliable in so far as everything that exists exits in the blockchain. As soon as it interfaces with the real world you start hitting the Oracle problem [1]. That you are not aware of this and still push for even considering it as an alternative to paper ballots is part of the problem. We need constitutional amendments that ban all forms of electronic voting in every democracy.
Nothing will beat the paper with physical verification/monitoring of people from different parties with the details of the end results properly published for everybody to double check.
The only way to trust voting machines (which could be rigged before delivery), would be to physically watch which buttons the voters did press, and manually account it... which would violate the core rule of anonymity, that to avoid retaliation.
A cachier roll, that is locked into the voting machine. The voter selects an option on the machine, each option has a number. Once the voter confirmed it's pick the number is printed on the cashier roll and "rolled" into view for the voter (a small slit window of some transparent material will do). The voter can then see the number was printed. After the voter presses the "done" button, or leaves the booth, the vote is rolled beyond the window so the next voter cannot see what the previous voter voted.
The rolls used can be marked uniquely.
The voting machine will print an opening and closing pattern so no votes can be added before or after.
There are various methods to trust voting machines. The simplest example is a machine which immediately prints out a paper trail that the voter verifies.
Readit News
This is something all digital systems are really bad at, even if everything is readable and verifiable, unless all your members know how to read that code.
Edit: and even if they know how to read that code, can they trust the machines are running that code at the big day?
https://www.google.com/search?q=ballot+stuffing+2020
https://www.google.com/search?q=ballot+stuffing+2016
https://www.google.com/search?q=ballot+stuffing+2012
Paper ballots also having problems isn't an argument for even more complex systems, it is an argument against it.
I have yet to see a digital system that I would trust myself to validate, much less the non-technical majority of the public.
I wouldn't expect the general population to trust them either.
I don't agree. This is plausible within a coesive electorate, but it feels like moving the problem. What guarantees that the experts are trusted by the voters? And more importantly, assuming that at some point the system (experts) is trusted, how is the trust in the voting system retained over time? (e.g. in case of disagreement over the results)
I have argued in another thread like GP that because the ultimate purpose of voting systems is to collectively take decisions, and because disagreements are very common when deciding, the system needs to be able to justify itself to retain the electorate's trust. Otherwise it will eventually be replaced by a different voting system (or tyranny).
A proxy for this is of course simplicity. If the voting system is clearly understood by everyone, it is more easy to persuade a losing party that the outcome is correct. Conversely, if a voting system needs high expertise to be understood, it is more difficult to bring everyone to agree on the result. So the latter is less robust than the former, especially if the disagreement is over a result that is close to a tie. A self-correcting mechanism is important to keep the voting system in place.
In appendix B of your thesis you raise an interesting point I had not considered.
> As an extreme example, consider the case where a voting system lacks verifiability, is trusted by the public, and is compromised by a foreign superpower: the people have lost their democracy and do not even realize it. Compare that to a hypothetical case where a voting system has perfect verifiability, thus can not be compromised (without triggering a new election etc.), and, for whatever reason, is not trusted by the people.
> Clearly, the outcome where people are suspicious of a perfectly functioning voting system is superior to the outcome where people are blindly trusting a compromised voting system. We hope that this outlandish example is enough to support our argument that verifiability is more important than trust.
The external threat is a very valid point but I do not think that this is sufficient to absolutely conclude that verifiability is more important than trust. If the system is rigged, it may eventually displease the electorate to the point that it will eventually be replaced.
Unless, the rigged system doesn't displease the electorate and is essentially a hidden benevolent dictator, which would be an interesting situation. Only in that case verifiability could unambiguously be more important.
[1]: https://www.belenios.org/faq.html
It's not perfect: more remote and less popular areas go unobserved, and what happens after an official complaint is made is anyone's guess.
But at least almost anyone can add up numbers for themselves and come to a conclusion about what to trust and not trust. And you might think no one would bother, but in my brief experience as a volunteer poll worker they surely do, and zealously so. I can't even begin to imagine what'd happen if the paper ballot was replaced with "trust us, the machine says 37 for party A" or "the magical fingerprint number you don't understand says this ballot was cast for someone else".
The system by which power is transferred from the people to representatives needs to be literally self-evident. Any system that the "average voter" cannot understand should be literally unconstitutional. Deviating from this puts the results of all elections in doubt. People will question the results, and they will have a point because the system is not actually verifiable and trustworthy to the average person and therefore they have no reason to accept the results. If you're lucky you'll end up with numerous political prisoners at the end of the whole process.
It's interesting how attitudes about digital voting seemed to flip overnight once Trump challenged the 2020 election. Beforehand there as a lot of serious concern about the trustworthiness and security of digital voting machines, now I get the impression that's all been muted and its taboo to do anything except trust the authorities.
1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome
2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity
3. People understand the paper ballot system, but there are some statistical checks and security measures that they don't understand or know of, so their knowledge of the paper system is superficial
4. Trust in voting systems does not primarily arise from understandability but from trust in other people. To quote: your grandmum doesn’t have to become an expert cryptographer in order to trust a system like X. She just has to believe that cryptography experts exist and at least one of them would speak out if this transparent voting system was not as secure as the election officials claim
I don't want to question your thesis here, but I teach electronics and programming at a University level and points 1 and 2 are ridiculous and maybe even disingenuous. Sure, I understand that for a certain type of mind a digital/electronic system feels less ambigous and more clear. But most people are not like that – not even among academics – not even among academics that involve themselves with technology.
Point 3 is a rethorical trick that – if applied equally to E-Voting would be a strong argument against it. Yeah sure people don't understand X completely so lets do Y which is one-thousand magnitudes more complex is not an argument in favour of Y even if phrased in such a way.
Point 4 is the actual thought we disagree about, but given the unscientific nature of the 3 arguments before I can't simply trust you that you did research here (there are no sources cited that strengthen your point either). So as it is you just stated the opinion, as I stated the opposite. Sure, paper ballot elections are not dead simple, but any living being with basic understanding of object permanence could veryify a ballot isn't manipulated by just standing next to it. Meanwhile with computers you have to delegate that trust. And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.
The important thing to understand about agreeable consent is that a person's willingness to subject themselves to the will of a democratically elected majority is directly linked to their trust into the process. Your voting system has to produce that trust even if voters don't want to trust the process. The surest way to do that is to get a part of them involved into the process – ideally not always the same people. If then a single poll watcher claims a thing and 400 others that have been present plus three trusted NGOs can claim otherwise the election is not in question. Someone will have to convince me this works for E-Voting with a bit more than rethorical tricks.
Note that I am not against E-Voting per se. I just don't think the highest stake elections which have the potential to shift political powers should be electronic/computerized.
That isn't actually what voting is meant to do. The purpose of democracy is to kick out the old guy and stop the concentration of power by rotating the people in power frequently. The problem is that when you get rid of the old guy, you also need people to agree and consent that the new guy is indeed the new guy.
Same for machines, they’ll have to trust that some people did their job and checked these machines.
Not saying this will happen any time soon though ;)
If, in turn, elections are organised as distributed, local, and highly public countings, that get aggregated up to the final tally, citizens stay in control of their votes. Poll workers in a county may not count the votes of another county themselves, but they know there will be other volunteers all over the country doing so. It is extremely hard to manipulate a large-scale movement of politically inclined volunteers, and they can rely on that.
We cannot hand control over the vote to the government we possibly want to vote out. By reducing the massively distributed trust to a handful of computer wizards, we remove transparency from voting, turning it into a sham event that can be orchestrated by those in power to their liking.
Elections with paper ballots are somewhat straightforward in that regard. Any party member that doesn't trust the process can literally apply to check part of it and be able to see for themselves that there is nothing fishy going on in the part they checked. And they can do that with nearly no prior expertise. If they don't get to check it for themselves they can trust that enough people like them are envolved in the process that someone would collect evidence of wrongdoing if it happened. And these people are normal people and many, so bribing them doesn't make sense. Adversaries that want to make that election untrustworthy would have to insert so many people at so many steps and at such number, an attack against it quickly becomes impractical.
Not with a computer system, I am not even sure if I would trust a system that I myself setup and software that I myself had written if used in a high stakes election. But the few experts that are able to verify the process and have the computer knowledge to do so without naive optimism now are high stakes targets and each party now needs to have one at each polling station at some point after which the machines (air gapped?) need to be completely isolated unless you want that verification to become meaningless. The voter now needs to trust the expert and for a hint about how well that works I want to point you to the Covid pandemic.
So digital voting is a non-trivial problem to solve, especially for high stakes, anonymous, but transparent elections. And we computer people can't just hand-wave the doubts away, you need to address each attack vector a major nation state attacker could/would exploit. And even if we did that the result would be a system that nobody without special education could understand.
Sure, paper ballots are slow and the process lengthy and labour intensive. But the results are surprisingly stable and trustworthy even in many places where one would expect corruption and manipulation.
However no voting system is perfect and 100% consent is next to impossible to achieve. But for major, high stakes elections we have to take any tiny sliver of trust we can take, even if it is at the expense of getting results fast or cheap.
As a young nerd I would've said: "How hard can it be", as an older nerd I understand that the computer part is the easy part, getting people to be able to trust and follow the process is the hard part.
How would you make such a sweeping statement? Can you list the systems you had looked at?
1. How hard it is for already highly educated people to understand electronics and programming
2. What kind of complexity is needed on how many technological layers to just even have it work reliably and how much more complexity is needed to have it formally variable and tamper-proof
3. How many attack vectors exist in such systems — many of which mean a single motivated and skilled attacker could exploit on grand scale
All of that necessarily leads to a process that is less transparent than a paper ballot, because there are more moving parts. Your bloke from the pub will be able to understand how to check the integrity of a paper ballot. But of an E-voting system?
In my eyes it is a feature if within a democracy if all participants in that democracy can understand the whole election process.
There are two problems with this: 1. You can’t verify extra or in eligible voters voted. 2. It relies on trust that to tell you your vote was counted.
I am very interested in reading about this protocol, and it might make a fun hobby to re implement it as a research project.
The one issue I have is: the act of physically showing up is an important one. Mass stuffing of ballot boxes is nearly impossible when physical presence is required. It also puts ‘your ass in the game’, meaning you really care so to speak; as you have to do a minor piece of physical labor in order to get your vote counted.
If this protocol could be adapted to the physical world, I think it would be perfect barring any other issues.
Scantegrity II is a system that adds end-to-end voter verifiability [2] to such systems by combining some clever chemistry with some clever cryptography. It requires no hardware modifications at the voting site except that special markers have to be used to mark the ballots.
Briefly, a code is printed inside each oval using a special ink that is invisible, which turns visible when that oval is marked by a special marker.
After the election all the ballots can be published, allowing any third party to independently verify the counts.
Voters that wish to verify that their ballot was included in the count and counted correctly can note the code from the oval and afterwards use it to verify the count. The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way. Here's a proof of that [3].
[1] https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...
[2] https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
[3] https://eprint.iacr.org/2010/502.pdf
> The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way.
What if the vote buyer is with the government and can actually inspect the ballots after voting? Knowing the code is a proof that you saw a specific ballot.
That said - I am yet to see any protocol that is resilient against not showing up IRL (due to the exact reason above).
You can say that you voted for X, but vote for Y and noone will ever be able to tell.
Please forget about showing up physically because setting up a polling station in a place where there's effectively no public transportation cuts off poor people from voting.
Please forget about showing up physically because mail voting works fine, paper ballots are already anonymous and verifiable, and we don't need to argue about why showing up in person is better for the umpteenth time (or that adding extra friction is not a good thing).
Please forget about showing up physically because that "you really care" nonsense is in the same vein as literally testing, and democracy isn't about excluding voters who don't care enough.
This line of thought is, frankly, disgusting, and I'm ashamed that this is tolerated here.
Could this work?
If the receipt allows to view whom you voted for, then it can be used to buy votes or pressure to vote for a specific candidate.
1. We need a sort of blockchain system to make sure nobody can change votes later.
2. Every citizen can deposit their vote with their own key tied to their id number that nobody else has. Everyone should be able to look up their own vote via their key.
3. We need more proof of work, require every booth to record a video of the voter and have a unique physical marker so that the video cant be reused and require voters to write something specific to that location during their video.
4. Proof of location? Require voters to transmit their GPS at all times during the entire election day. Then at least group voting (beyond faking your own family members' votes perhaps) should be impossible and multi voting should also be impossible.
4. Make sure that the counting of ballots is instantaneous so that the cheaters have less room to cheat.
5. Proof of time? Surely we should be able to simply use time to our advantage, given that somebody who wants to cheat on a mass scale inherently has less time than the individual voters?
Maybe all of it together, we have so much data about citizens in most countries. It should be absurdly easy to have a citizen be forced via GPS to vote from his area or even his building where he is registered to live before he starts going to his local voting booth. This would give us a lot of confidence that this is really a separate, real person and also the person in question.
We need to use what we have to our advantage. People may be able to fake a lot of things but all of them? I rather trust a complex system like this than literal pieces of paper where any person with a bad mind can just choose to read it differently or stuff a few extra pieces of paper somewhere.
The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot, but it will never be an effective system on top of the current network architecture. You have to show up personally to vote. Like can you imagine voting with SMS or something? This is complete non-sense.
However I think this tool would work pretty good on a smaller community scale.
1. Widespread voting in person at a number of distributed sites, with paper ballots and either hand counting or machine counting with risk limiting audits. This is pretty technologically trivial to implement, but requires manpower.
2. Widespread postal voting as it's done in places like Oregon, where there's a non-serialised ballot inside a serialised envelope. All voters are sent an envelope and ballot via postal mail, and the return can be done at either a drop box or through the postal system. On election day, all valid envelopes are opened and emptied under the watchful eyes of observers from each party. They are then counted by hand or with machines and risk limiting audits.
What should not exist are voting machines. There should always be a paper ballot in the process somewhere that is human readable.
This would mean the end to the secret vote.
Elections that have the potential to shift the power structure of a state are not low impact decisions. Paper ballots being slow and labour intensive is a feature, not a bug for really high stake decisions like who is in charge of a nuclear arsenal for the next years.
The more I know about electronics and programming the worse I think the idea of E-voting is for such occasions.
Like most (or all?) online protocols, this doesn't protect against vote selling or vote coercion.
The general idea for all of these is if you add uncertainty you reduce what a coercer is willing to pay creating a mutually assured destruction scenario whereby the system being in place ensures nobody ever tries it.
Votexx.org if you want to learn more.
At the least, this will often result in heads of household voting for their entire families. At the most, it can result in people voting under the supervision of a local gang/militia member.
If anyone is looking for the right terminology to find papers, it's "no-receipt" voting. The holy grail is no-receipt, yet verifiable voting, but it might be mathematically impossible.
If you took a picture of your ballot, or even if you filmed yourself putting it in the envelope and putting it in the mailbox, there's nothing stopping you from taking it out later, tearing it up, and going to vote differently in person.
But if you held a gun to my head and made me vote at 18:59, with polls closing at 19:00, then I guess it would work. Hell, if you held a gun to my head and had me vote a week early and then blew my brains out, that would probably also keep me from voting again.
So it's not complete, but neither is the current system. You could hold a gun to my loved-ones head and tell me to go vote for B in our current system. I could photograph the ballot from the box, cellphones are small these days. Or if I vote by mail I could easily prove to you I voted for B so you would let the hostage free.
So I guess it actually is an improvement over the status quo.
If there's a "national registry of citizens" comprised of public keys, I think it will be easy to organize ballots on top of that.
it's worth keeping in mind though that this is an issue the current system faces. voters end up duplicated in the rolls under different addresses or old names, or they don't get removed from the rolls after losing eligibility or dying.
once upon a time I got two voter cards in the mail, one forwarded from an old address. I was eligible in two districts after nothing more extraordinary than moving across town. had to call in to get removed from the extra district.
HTTPS is shrouded behind inscrutable crypto, but nearly everyone trusts it with their credit card details.
Voting doesn't have to be any different. The implementation details don't matter, as long as there are easy-to-understand verification concepts such as receiving a "tracking number" for your vote that is then easy to see it was counted. And then journalists and other private election integrity observers who do random sampling from voter rolls and follow up on complaints. (This is not a complete list, just examples.)
And remember, physical voting is actually tremendously complicated as well -- inscrutable optical scanners detecting which bubbles you filled in, and then... what? Who's actually adding the numbers, and where, and how? The point is, the details aren't really important as long as we're vaguely aware that there are election observers and journalists trying to catch any irregularities, and we all know it will be major news whenever they're found.
On the other hand, “verifiability” is a more useful property on a larger scale. You may trust your local government but do you trust local government in all other districts? What if, with sufficient knowledge you could prove that their voting was right or wrong? I think that also seems like a useful property.
I took a (lazy) crack at generating an image from a (could be 120% incorrect) ChatGPT conversation, FYI:
* IMAGE https://www.plantuml.com/plantuml/png/RLAzJiD03DxlAQnECF023A... (ChatGPT's images look bad)
* CONVERSATION https://chatgpt.com/share/142a2eca-1f66-4087-9568-cbf49e7c3c...
https://youtu.be/w3_0x6oaDmI?si=kGDOYOb_RiiQaZ3u
https://youtu.be/LkH2r-sNjQs?si=YdQgNC4uUZDUDbab
It would be too burdensome with pencil and paper. Alternatives are useful.
Discussion, debades and more generally exchanging opinions with others and pondering the options before committing to a decision are important if not essential for proper functioning of democracy. This necessarily takes time. How would real-time voting make things more democratic? I see no advantage in making the process hasty. If anything, it would trivialize the process, like voting for a game show on television, which would definitely be bad.
https://en.wikipedia.org/wiki/Voting_in_Switzerland
Deleted Comment
There are methods for preventing all the issues Tom Scott raises.
The problem is that when you can verify that your own vote has been counted a certain way, that can be used to influence the vote. $100 Amazon gift card if you verify that you have voted Purple. Lack of verifiability has been a feature to prevent a voter from willingly participating in manipulation.
[1]: https://chain.link/education-hub/oracle-problem
The only way to trust voting machines (which could be rigged before delivery), would be to physically watch which buttons the voters did press, and manually account it... which would violate the core rule of anonymity, that to avoid retaliation.
The rolls used can be marked uniquely.
The voting machine will print an opening and closing pattern so no votes can be added before or after.