When it comes to elections, there are a number of different kinds of attacks against the voting process that should concern us. Excluding things like bribing and threatening voters, we need to worry about votes not getting counted, votes getting changed, and votes being inappropriately added. In the first case, an unpopular government may remove opposition supporting ballots from ballot boxes in marginal constituencies. In the second, they might alter or replace ballots, converting opposition votes to government ones. In the third, they might simply add more ballots that support the government.
A relatively simple measure could protect against the first two possible attacks. When a person votes, they could be given a random string of characters. One copy would get printed on their ballot, another would be theirs to keep. Then, once the ballots had been tabulated, a list could be posted on the internet. Sorted by electoral district, it would list the various options people could have chosen, the total number of people who chose each, and a list of the random strings that each person brought home. The importance of the random string is that it preserves the integrity of the secret ballot. Because each string is generated using a random number generator, no string can be tied to an individual. Only the copy given to the voter allows them to check that their vote was properly counted.
Under this system, if I voted for Candidate A and got the string “GHYDMLKNDLHFL,” I could check the list under Candidate A on the website and ensure that my vote was counted for the right person. If my vote hadn’t been counted, my string wouldn’t be anywhere on the list. If it had been miscounted, it would appear in the wrong place. People who found themselves in that situation could complain to the electoral authority, the media, and foreign observers.
The system remains vulnerable to an attacker adding new ballots in support of their candidate, but only to a certain degree. Provided there are some independent observers watching the polling station, the approximate number of people who voted can be pretty easily determined. If the number of votes listed on the website is well in excess of that number, it can be concluded that fraud has occurred.
None of this is any good against a government truly committed to rigging an election; they will always be able to brush off complaints from foreigners and the media, and they will rig the electoral authority. At the same time, it would make rigging more difficult and increase public confidence in the electoral system in any state that implements it. Being able to see your vote listed in the appropriate place may also make elections feel more concrete and personal.
The system does create some new risks. Attackers might force voters to share their random string. If they did so, they could determine who an individual voted for: a worrisome prospect in situations where people could be threatened to vote in one way or another. Likewise, having confirmation that a vote went one way or the other could make vote-selling a bigger problem. With a standard ballot, there is no way to know whether a paid voter actually voted the way they were paid to vote. These additional risks should be borne in mind in the context of any particular election or state. In some cases, they could make the dangers of this approach outweigh its benefits. In most places, however, I suspect it would be beneficial and relatively inexpensive.
Some previous posts on electoral security:
In places where most people do not have internet access, a text messaging system could be set up for mobile phones.
This is not a bad idea. It would probably be quite rewarding to see one’s string in such a list.
Did you come up with this idea? If so, send it in to The Times and get it more publicized.
Other people have certainly had similar ideas before, some of them much more elaborate. There is some kind of triple ballot system that provides cryptographic verification of your vote. This seems simpler, though the other systems may have advantages that justify their higher complexity.
A nice idea, and simple. The only problem with this is that it opens up doors for vote-selling and voter coercion.
Consider: Tony Soprano wants to make sure that his buddy Guido gets elected to the city council. Guido is running against Bruce Wayne (yeah, I mix my pop-culture references).
Tony goes out and finds a group of 150 people and tells them to vote for Guido. After they get back from the polls, Tony confiscates each of their receipts, writing down the name of each person on his or her receipt. That night, after the votes are counted, Tony checks to make sure that all 150 of the ticket strings are listed under Guido’s name. If one of those strings shows up under the name of Bruce Wayne, well– Tony has the name of the offending voter…
The same idea applies to buying votes. Bring me a ticket with a string that shows up under my name, and I’ll pay you $500.
Paul,
Would it work if the system also gave you the string for a random person who voted on the other side? That would make it possible for anyone to fake it in a ‘vote buying’ scheme, thus making it non-worthwhile for those running it.
A third approach to the idea of encrypted ballots is called Scantegrity II. It was designed by David Chaum, a computer scientist and cryptographer who, among many other things, invented the idea of digital cash. Instead of putting a cross next to the candidate’s name, a voter fills in an oval-shaped space, known as a bubble, next to the name. So far, that is similar to one widely used American system. However, in the case of Scantegrity the voter does not use an ordinary pen, but a special one with “ink” that reacts with a pattern of two chemicals printed inside the bubble.
One of these chemicals darkens the whole bubble, so that its position (and thus the candidate voted for) can be recorded by a standard optical-reader. The other becomes visible in a contrasting colour to reveal a previously invisible three-character code, derived from a random-number generator. Since the optical readers employed by this system do not have character-recognition software, this code cannot be read by the vote-counting machine. But it can be noted by the voter on a detachable receipt at the bottom of the ballot paper. He can then, if he wishes, check things are in order by entering the serial number of his ballot paper into a website set up for the election. It should respond with the appropriate code. If the code does not match, something is awry, and an investigation can start.
Maryland Town Tests New Cryptographic Voting System
“In Tuesday’s election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter.”