I’m trying to figure out whether a ballot receipt is inherently vulnerable to vote coercion. Is there any way to make a voting system where:
A voter can audit his or her vote in a public ledger, probably by matching the (randomly assigned) ballot ID on their receipt to the official list
Other voters can also see the results, but will not know which ballot ID belongs to who
HOWEVER, the ballot receipt must not be able to be used as a tool of coercion for vote buying or suppression
In one design by NYU, the problem was partially tackled by a “I’m voting under duress” mode that the voter can secretly turn on when voting. That would create a side-channel list that would be later subtracted from the public results ledger. To an auditor or vote suppressor, it would look like that voter voted, but behind the scenes the “voting under duress” list would cause an invalidation.
This has its own share of problems:
A) It relies on a trustworthy central voting authority to maintain and properly utilize the “voting under duress”.
B) If the “voting under duress” list is kept secret forever, it is unauditable. If it is eventually released several months after the election, as in the NYU proposal, a coerced voter could still be “punished” at that point.
A random idea: What if the “voting under duress” mode generated an additional vote, the exact opposite of what the voter actually voted for, essentially purposefully “padding” the results with the opposite position? Those invalidating votes would be specially marked as such and contain geographic data but not individually identifiable voter data, so that they can later be auditable at least down to the precincts to identify anomalous levels of invalidations (suggesting a vote buying campaign).
That still accomplishes an invalidation, but you’d have phantom voters in the results. The voter would get an invalidation receipt in addition to their ballot receipt, but the two are not tied together. The challenge here is in proving that invalidations aren’t just generated out of the ether, but that’s already a problem in the current system anyway and at least it would be an improvement. If abnormally high levels of coercion are detected in an area, re-elections can be held with outside election watchdog groups stepping in and collecting invalidation receipts (anonymously, or by mail) by people who want to voluntarily provide them as evidence.
That’s just one idea. Are there any other, better ones?
The larger challenge statistically is “I’m voting this way because somebody bribed me to. And I’m happy to sell my vote for that price.” How do we detect and prevent that when the voter him/herself affirmatively doesn’t want to be discovered?
I didn’t mean to threadshit. As to your question as asked:
Ultimately the tradeoff is between “I, an honest voter, want to know my specific personal vote was accurately recorded and counted.” and “I, a coerced voter, want nobody, not even a very powerful somebody, to know how my specific personal vote was recorded or counted.”
That’s a technological dead end because the requirements are identical in tech space and opposite in meat-space. The fix, if any, resides wholly in meat-space.
Beyond that, we also want a way to ensure that not only was any/every vote recorded accurately, but that it was correctly and completely included in the total. Some kind of blockchain can probably achieve this. IOW, it’s cyptographically proveable that your vote ID for X is in the chain that ends with the total votes for X.
If there was a way to blockchain both your voterID and your yes/no/abstain choice on question X together then the outcome of the blockchain could be a cryptographically secure total over/under on question X where any uncounted vote or wrongly counted vote could be detected by the voter. But it still fails in that if the voter can observe that his/her vote was counted as, e.g., “Yes” then anyone else with a gun to the voter’s head can see the same thing.
Isn’t that almost like “I’ll vote for you to receive services for my district”? Just a more direct tit-for-tat? It’s sad if that happens regularly, but well, there’s not really any stopping it. The same system that fights coerced votes could also help these people, though. Even if they took the money, they could vote for whoever they wanted to and just lie about it.
Exactly. I’m not asking about how to recreate a fix in techno-space, but how to prevent it in the first place. I don’t think any of those ideas requires technology per se, if you can imagine replacing a blockchain by a meatspace “web of trust” model with each precinct double-checking one another and funneling their counts upwards through a signed chain of custody, etc. That’s not the issue, really, but like you said: can verifiability and anonymity coexist somehow, in paper ballots or e-voting?
As soon as you set things up so that every vote can be directly linked to the voter, you ENABLE direct-to-voter corruption.
Simple bit of reasoning to recognize: if you can set up a fool-proof way to protect all the detailed voting information you’ve logged… there would be no reason to log it at all.
From a problem-solving point of view, as opposed to your invent-a-whole-new-system idea, I would address what people actually are worried about instead. Especially since it would be easier to do.
Such as:
have every vote automatically tallied in TWO PLACES as it is cast, instead of just one. This would prevent individual polling places from “adjusting” the counts.
Instead of logging the entire vote for a double check, log only THAT the person voted. Instantly. They could both verify THAT they voted, AND that they were only counted once. You could do something as simple as having each vote numbered in sequence as they vote, in a way that was only connected to their opening and closing the curtain or whatever. Any missing numbers in the sequence, and any difference between the total votes cast at the station and the number assigned to the last voter would be obvious.
I’d go with little simple and direct fixes to known specific concerns like this, rather than enacting some vast data collection concept.
Yeah, exactly what we’re hoping to prevent Verifiability is important, but so is anonymity.
What do you mean? Sorry, I don’t follow.
There’s also concern about the count being manipulated after it leaves a polling place, such as in transit (paper ballots being “lost” or digital transmissions being altered) or during county/state/national tabulations, whether by mistake or malfeasance.
Again, this might work at a polling place level, but you have to trickle the results up to bigger regions (county/state/country/whatever). How do you cross-check all the precincts without a verifiable trail? What if manipulation occurs later on in the tally process?
It’s a gradual evolution towards better and more provably safe election systems. We’re definitely not going to get there overnight. That said, it is still an interesting exercise to try to design a model system that could eventually be adopted, if only to reassure ourselves that votes are being counted. What is right now just a murmur of “election fraud” will hopefully stay that way, but the system itself must evolve to counter new threats so that people don’t increasingly lose faith in the ballot.
You started out asking about coerced voters. I was concerned as I gave my answers that I was broadening the question from individual coercion (my ballot paper doesn’t say what I really want it to say) to the general question of accurate counting (the reported totals don’t match the actual ballot papers cast).
Now you’re talking about tallying & reporting. Those are very different questions with different answers.
To be sure the Platonic Ideal Form of voting would have no opportunity for bribery or coercion before the individual vote and no opportunity for deliberate miscounting on the way to the aggregate total. Nor for voter suppression upstream of the individual vote.
We’re not going to invent a Platonic Ideal anything here today. But along the way there almost certainly are things we can do to reduce one or another risk factor perhaps at the cost of increasing another.
This is where having some actual factual data on whether we have functional problem(s) today and what they are or do we simply have a pig-ignorant paranoia that “stuff gotta be broke” because some incurious folks don’t understand it and buy propaganda intended to destroy their trust in the system?
Verifiability is important, but so is anonymity.