There is a myth that computers will always make things better and a great example of this myth in action is voting. While computers are great at adding up numbers they don’t know what those numbers mean and the code that adds those numbers can be tampered with. In fact because of the way voting works today it’s impossible to track if a vote was properly counted.
When you vote you want to know that your vote was counted correctly. You also want to know that someone elses vote was not counted twice. You need trust and security.
You need the trust and security you get at a bank. When you deposit $1,000 at the bank every dollar is counted. You have basic accounting, receipts and balances that allow both you and the bank to figure out where the money goes. Why is voting any different?
Well, for one you want to be able to vote anonymously. You can’t make voting records public because unscrupulous individuals could coerce or intimidate people into voting a certain way. What you want is anonymous but verifiable receipts.
Imagine I go to vote and when I get to the voting booth I take a dollar bill out of my pocket. When I vote I insert the dollar into the voting machine and when I’m done I get my dollar bill back plus a receipt of my vote. It’s an ordinary dollar bill, there’s nothing special about it. In the voting process the dollar bill and I are similar. We are anonymous and we are unique. Each bill has a unique serial number. Once voting is complete and the votes have been tallied the serial numbers of the bills and the corresponding votes can be released publicly.
Anyone who voted can go lookup their own vote by finding their own serial number. Voting is still anonymous, no one can tell who you voted for but you can verify that your own vote was counted. The bill serial number acts as a unique receipt. Since the bill is difficult to forge it doesn’t matter how the actual ballot is done you have a verifiable way to track your own vote. If your vote was counted incorrectly you can bring your bill as proof and correct the mistake. (Of course don’t spend that bill until the election is over.) If your vote was never counted the paper receipt plus the bill are proof of the place, location and unique machine used to vote. This can be used to back-track and find faulty machines that issued receipts but didn’t actually count votes.
You no longer have to worry about the poor design of voting machines, hanging chads, miscounts, recounts, and widespread election tampering. Everything can be done out in the open. Only with an open process can you have public scrutiny to ensure that everything is just and fair.
What about other people’s votes? How can I know that other people are voting only once? Interestingly the answer is non-technical. We can learn a lesson from Iraq that used a similar process in their election:
I think I missed how this gets around the problem of coercion or bribery. Malcom gives Alice a dollar bill and says, “Vote for Bob with this, and I’ll send you $20 when I verify it tomorrow.”
Michael, good one… What I describe doesn’t eliminate corruption of individuals but it should help address what seems to be the larger problem of corruption and mistrust of the system.
In your example Alice could spend the dollar or trade it with someone who she expects will vote as Malcom wants.
Fair enough. Rivest and Smith (of MIT and RangeVoting.org respectively) have schemes with some similarities to your proposal (using random serial numbers and receipts), but they attempt to avoid the potential exploit of coercion or bribery:
http://www.math.temple.edu/~wds/homepage/tb8.pdf
In the simpler Twin scheme, each voter gets a random serial number and vote receipt of an anonymous random _other_ voter to cross-check in a public record later, thus they have nothing to prove on how they voted. Unfortunately, it’s weaker on verification: while your scheme allows a voter to check that the vote reported to the public is the same as the voter’s intention, Twin only allows a voter to check that a vote reported to the public is the same as reported at the time of balloting. It may be vulnerable to attack in the slice of time between when the ballot is cast and the receipt is given to another voter.
In the more complicated (for the user) VAV scheme, a voter casts _three_ ballots, two being votes for a candidate (it may or may not be the same candidate) and one “antivote” against one of the voted-for candidates to cancel one vote. The voter then chooses to take home a receipt of just one ballot, bearing a random serial number and the candidate name. A vote receipt can’t be used for bribery or coercion because only the voter knows if there’s an antivote canceling it; an antivote receipt is no use either because only the voter knows the two votes (e.g., both may be for the voter’s chosen candidate). Unlike Twin, voters can verify (one of) their ballots against their respective intentions at the time of the balloting. Later, when the votes and serial numbers are posted in public, the voters can verify that their ballots continue to match their respective intentions.
That’s a fascinating study on voting. The VAV and Twin approach does address the bribery problem but it creates another problem. Since the receipt can be a vote or an anti-vote it’s no-longer a true receipt in terms of auditing purposes. Since the receipt doesn’t show how I voted the vote can be changed behind my back.
The Twin and VAV approach also are significantly more complex to explain. I’ll have to look at the paper in more detail. Thanks for the link.