When it comes to elections, there are a number of different kinds of attacks against the voting process that should concern us. Excluding things like bribing and threatening voters, we need to worry about votes not getting counted, votes getting changed, and votes being inappropriately added. In the first case, an unpopular government may remove opposition supporting ballots from ballot boxes in marginal constituencies. In the second, they might alter or replace ballots, converting opposition votes to government ones. In the third, they might simply add more ballots that support the government.
A relatively simple measure could protect against the first two possible attacks. When a person votes, they could be given a random string of characters. One copy would get printed on their ballot, another would be theirs to keep. Then, once the ballots had been tabulated, a list could be posted on the internet. Sorted by electoral district, it would list the various options people could have chosen, the total number of people who chose each, and a list of the random strings that each person brought home. The importance of the random string is that it preserves the integrity of the secret ballot. Because each string is generated using a random number generator, no string can be tied to an individual. Only the copy given to the voter allows them to check that their vote was properly counted.
Under this system, if I voted for Candidate A and got the string “GHYDMLKNDLHFL,” I could check the list under Candidate A on the website and ensure that my vote was counted for the right person. If my vote hadn’t been counted, my string wouldn’t be anywhere on the list. If it had been miscounted, it would appear in the wrong place. People who found themselves in that situation could complain to the electoral authority, the media, and foreign observers.
The system remains vulnerable to an attacker adding new ballots in support of their candidate, but only to a certain degree. Provided there are some independent observers watching the polling station, the approximate number of people who voted can be pretty easily determined. If the number of votes listed on the website is well in excess of that number, it can be concluded that fraud has occurred.
None of this is any good against a government truly committed to rigging an election; they will always be able to brush off complaints from foreigners and the media, and they will rig the electoral authority. At the same time, it would make rigging more difficult and increase public confidence in the electoral system in any state that implements it. Being able to see your vote listed in the appropriate place may also make elections feel more concrete and personal.
The system does create some new risks. Attackers might force voters to share their random string. If they did so, they could determine who an individual voted for: a worrisome prospect in situations where people could be threatened to vote in one way or another. Likewise, having confirmation that a vote went one way or the other could make vote-selling a bigger problem. With a standard ballot, there is no way to know whether a paid voter actually voted the way they were paid to vote. These additional risks should be borne in mind in the context of any particular election or state. In some cases, they could make the dangers of this approach outweigh its benefits. In most places, however, I suspect it would be beneficial and relatively inexpensive.
Some previous posts on electoral security: