Put another way: the unwieldiness of British- and Australian-style paper balloting is a feature, not a bug.
To steal an Australian state or federal election would require the subversion of hundreds or even thousands of individuals, many of whom are mutually hostile, mutually surveilling agents (scrutineers[1]).
Waiting a few weeks at most in exchange for years of democratic legitimacy is a pretty bloody good deal.
exactly. this and similar ideas great examples of solutions in search of a problem. it's also important, i think, to note that the concept of security in this context comes down to voter confidence, and this requires a solution that the average voter can understand. there is no better way to achieve that than the analog one you describe.
It suddenly occurs to me: Another aspect of pervasive biometrics. The State -- or, private entity with sufficient influence to access the ballots (think especially but not only at the local/regional level) -- scans the paper ballots for prints. Suddenly, they know how you voted.
(DNA as well, I guess, but we are further away from having instant/economic mass DNA scanning.)
That's not a huge concern, since in the UK there's a record of voter id -> ballot paper id kept. With access to that and the ballot papers you can tell how everyone voted.
You're way overthinking it. Most voters belong to a political party, which is a public record that anyone can look up. Same for campaign contributions. DNC and RNC and various private entities maintain databases of voters' political leanings.
One wouldn't need to compromise the voting system to get a list of who (likely) voted for whom.
Agreed, but there are plenty of votes that aren't important enough to justify the expenditure, and would be better administered digitally. Members organisations, etc.
Completely agree. I can only hope that the day after an electronic voting general election, the new Prime Minister is Edward Snowden, because a result that looks kind of ok is not going to throw the whole thing in the bin.
the slide deck linked to in the article was very informative and straightforward. The length of the PDF is to cover edge cases and scenarios of corruption, with solutions.
You seem like a TL;DR kind of guy (nothing wrong with that), so just read the slide deck. maximum 50 words a page.
I did read the article, and I did read the PDF, I understood both and then I commented here.
However, the chances of explaining most of that to my mother in a way that she could understand in a moment, such that she could also explain it to the next person? It's unrealistic.
I don't think looking at this as a replacement for the existing ballot system is the right way to look at it. For the kinds of elections that are currently conducted, the current ballot systems may be sufficient, and even preferable, as other posters have argued.
In my opinion, research into new, more technical voting systems are not about our existing elections, but about new types of 'assessments of opinion' (AOO) differentiated from the current understanding of an 'election'.
For example, current systems assume that 'elections' occur relatively infrequently, are restricted to a certain number of choices, and that the person voting is sharing only their own opinion.
However, if we wanted to implement a system in which legislative decisions (proposing and passing laws, let's say) were made by the population as a whole, possibly several times per day, in a geographically distributed manner and supporting both direct and indirect delegation, any system that is intrinsically based on a paper ballot is not a feasible solution. Perhaps we'd also want to support conditional delegation as well; for example, this person receives my vote for topics localized to a 30 mile radius, while person B receives my vote for topics related to privacy protections, and so on (with additional rules for preemption/disambiguation, etc).
It wouldn't even necessarily have to be used for traditional governance - it could scale to be used for voting with a group of friends, a business, a shared-interest group, etc.
This is obviously a very tricky problem to solve, particularly if you add (optionally?) other requirements such as verifiability, secrecy, and so on. I haven't read the full PDF posted by the author, but I think it's likely that the proposed system solves only a portion of the problems described above, given the complexity of the requirements.
That being said, I certainly don't think saying "paper is always the way to go, because it's the simplest" or "these kinds of developments are solutions in search of a problem" are constructive. Addressing the weaknesses of a specific solution is one thing, but saying that the existing ballot system is optimal (particularly given the audience of HN) is a surprising sentiment to see here. Sufficiently long-standing problems (are capitols necessary?) may not be immediately visible to us, but that doesn't mean they aren't there, and we should strive to be open-minded - even towards imperfect solutions.
It doesn't even have to have anything to do with the state. Votes in school classes? On a corporate board? In games? A working secure anonymous voting system could be useful everywhere.
My own sketch kind of "cheats" a little - I'm using Secure Multiparty Computation to achieve a cryptographically protected opaque VM distributed against mutually distrusting entities. This makes practically everything else easy - vote input data can be anything, and you can have any imaginable type of vote trivially. Per-choice scoring? Choice rankning? Switching is easy too.
Still only a blueprint, but technically possible. I'm going to look into how this particular scheme works and see what they're doing different that could be reused, if anything is applicable.
Edit: reading it now. Turns out their approach is remarkably similar to mine on a high level! But their cryptographic constructions differ and is definitely more advanced.
about new types of 'assessments of opinion' (AOO) differentiated from the current understanding of an 'election'
Agree.
Fan of direct democracy that I am (have used various voting methods in the work place for decision making), the trick is having a tight feedback loop, so that participants see the result of their involvement. Otherwise they become alienated. Which might explain vote fatigue, low motivation, etc.
The gist of the method of verification, from the linked slide deck:
Typically, voters get a “protected receipt”, i.e. an
encrypted/encoded version of their vote.
Cast receipts are posted to a secure web bulletin board.
Voters can verify that their receipt is correctly posted.
A (universally) verifiable, anonymising tabulation is
performed on the posted receipts.
So there is a receipt but, in the interests of preventing tampering (?), the voter won't be able to understand it.
It still requires a complex software system that no lay person (and no expert in short order) can verify.
That problem remains and it isn't really a technical one. Any voting machine has to be able to be verified using simple visual, mechanical inspection for the people to trust it. More technology will only undermine trust further.
My understanding is that this system is trying to solve one particular problem: how can you be sure your vote was counted? A simple visual inspection probably isn't enough to convince me that my ballot box won't be dropped off the back of a truck later.
That said, I do have some question about how thoroughly it addresses that problem.
A lot of the presentation is about difficult edge cases, such as how a voter can falsely verify their vote to someone who's coercing them to vote a certain way. This part seems quite complicated, but it kind of has to be. Maybe an interest group could make step-by-step instructions available to groups of voters who they think are likely to be coerced.
What I don't know from the presentation is, is the simple case understandable? If I am a reasonably normal person who has never been to a key-signing party and does not code El Gamal for fun, will I be able to verify my vote? Do I need to personally do the math and computation that would verify my vote, or would there be a usable, trustworthy app of some sort that does it?
Here's another threat model that they don't discuss: what if I don't like this system and I want to undermine it, and I use a false verification code to say "look, you counted my vote for the wrong candidate, this system is corrupt"? Presumably nobody would be able to say I was wrong, and nobody would be able to distinguish a real election flaw from my fictitious one.
A ballot box falling off the back of a truck is a voting system problem that us utterly unrelated to the "verifiable voting mechanism" problem. Talking about them in the same sentence this way obscures both problems.
buro9 hit the nail on the head. The most important, often neglected, issue is that voters will understand and trust it. I've been digging through voting schemes for a while trying to find this one requirement. Fortunately, I did find one in a discussion on Schneier's blog:
I'd still like to see experts in cryptography and voting architecture do a thorough evaluation of its security. However, the process is simple enough that about any location should be able to implement it and about any person use it. I mean, there might be modifications for accessibility reasons. Second link has the papers.
Anyway, what do you all think about Scantegrity in general and as a default recommendation for secure voting?
I manually worked thru a hypothetical election using Punchscan for my jurisdiction. It didn't protect voter privacy.
With paper ballots, dropping your ballot into the ballot box is the secure one-way hash (assuming enough people are voting).
The trick crypto systems do is hide your ballot within a herd of ballots, using some kind of one way hash, assuming there will be hash collisions. Works great with simple ballots (few races) and large numbers of voters.
Alas, in my jurisdiction, the smallest political (bookkeeping) unit is a precinct (ranging from 0-1000 voters) and our ballots have 10-40 races. So combinatorially, it's likely each ballot is uniquely identifiable.
A crypto systems might work if our complex ballots were separated into more simple ballots. Eg one each for national, statewide, county, and local races.
Rant: My primary grievance with proponents of crypto for voting is they do not specify under which conditions their systems will and will not protect voter privacy. That is very intellectually dishonest, with a dash of technophilia.
After studying this, extensively, crypto based voting systems for elections are complete non-starter for me. I'd rather forfeit voter privacy than embrace an inscrutable system that I can barely understand.
Did you know btw that in the UK your vote is not really private: there is a serial number on the ballot that is noted down against your name in the register?!
As the author of the Selene scheme and the talk i should add some clarifications:
Selene is explicitly not intended for high-stakes, binding votes to elections. It amy be suitable for some forms of election, e.g. of officials of professional bodies, student societies etc., in the way that say Helios has been used. I want to stress that I, like many, in the verifiable voting domain do not advocate internet voting for serious elections. we currently know of no scheme that provides sufficient levels of verifiability, coercion resistance and usability.
A primary goal of Selene is to make the verifiability step as simple and understandable as possible. In contrast to most existing E2E verifiable schemes voters do not have to handle encrypted ballots to perform the verification, they simply look up their vote in the clear on the WBB using their private tracker. Of course, making the verification so transparent, as opposed to the usual practice of checking the presence of an encrypted ballot, has its costs in terms of receipt-freeness and coercion resistance, but we have tried as far as possible to mitigate these.
The scheme does use some fairly sophisticated crypto but as far as possible this is all under the bonnet as far as the voter is concerned. Of course, to understand the arguments for the security claims would require at least some superficial understanding of the crypto, but my guess is that most voters will not be that interested, or will be happy to accept the evaluation of experts.
I don't believe that it takes 59 or whatever slides to explain the key features of the system:
there are constructions, transparent to the voter but verifiable by expert, interested parties to guarantee
that no two voters get the same tracker.
There is a mechanism to notify voters of their tracker after the trackers and votes have been posted in the clear.
The fact that voters learnt their tracker only after the posting of this information helps mitigate the obvious coercion strategy: ask the voter to reveal her tracker.
The notification is set up in such a way that a coercer voter can fake it to appear to reveal an alternative tracker, pouting to the coercer's vote.
verifying your vote is simple: look up your tracker and check that the vote alongside it is correct. and this is of course in any case optional, voters can just vote and go.
much of the content of the slides is just discussing the background, contrast with other E2E schemes etc.
A paper describing the scheme in detail will be available shortly. I welcome feedback.
the scheme does not require 56 pages or whatever to explain. there is some crypto under the bonnet that is designed to guarantee essentially the following:
1 every vote will get a unique tracker number
2 the voter is notified of his or her tracker after the votes/trackers have been posted to the Web Bulletin Board. This is to give a coerced voter the chance to identify a tracker number that points to the coercer's required vote.
3 each voter is notified of her/his tracker in a way that allows them to deny it and claim another tracker that points to the vote demanded by the coercer (which they identified in 2).
No, but a five year old could understand the fundamentals of why a paper ballot is secure, even if they do not evaluate the complete implementation. This system is a little tricky just to understand conceptually.
And here's the thing: voter fraud is very rare. IMHO, fear of voter fraud causes many more problems than the fraud itself. It is therefore critical that people understand and trust the voting system even if a more complex system is otherwise safer.
Just do it with paper, have multiple observers, never count to more than 10 (10 slips = 1 bundle, then count 10 bundles and make 1 large bundle, etc).
Basically, I like the UK way. It's not even slow, the whole country gets the results before they wake up the next morning.
The whole thing can be verified, and it can be reverified easily later.