If I understand correctly: The idea is to scan every ballot, and upload all scans to a public website. The system preserves anonymity because voters are not required to write their names or other PII on the ballot paper.
I still have lots of questions:
1. Doesn't this system raise the possibility of coercion? For example, a goon or abusive spouse might, under threat of violence, force you to vote in a certain way and mark your ballot for them to audit afterwards. Isn't plausible deniability also one of the key desiderata of the election process?
2. The system allows me to mark my ballot paper and confirm that my vote was correctly counted, after the fact. But I still need to trust all the other votes uploaded to the website. Of course, the presence of independent election observers (who watch the counting process and the ballot boxes being moved around) would mitigate this fear.
I still think a serialized ballot is the way to go. Upon verification of identification at the polling place, a ballot is printed with a random serial number and given over. Those serials are kept until after the count, and any serial number not in that master set should be examined for fraud.
Do we have a cryptographic protocol for verifiable elections yet? Where someone can be assured their vote was counted (and counted correctly), but cannot be coerced, nor prove, whom they voted for?
Yes, several. A particularly interesting one is Scantegrity [1]:
> Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.
> Scantegrity II prints the confirmation codes in invisible ink to improve usability and dispute resolution. As the system relies on cryptographic techniques, the ability to validate an election outcome is both software independent as well as independent of faults in the physical chain-of-custody of the paper ballots. The system was developed by a team of researchers including cryptographers David Chaum and Ron Rivest.
It works with the common "fill in the bubble" paper ballots that can be counted by simple optical scanners (or by hand). The only extra hardware you need to add it to an existing "fill in the bubble" system is that you have to use a special marker to fill in the bubbles.
we can’t keep chasing the approval of the most paranoid, many of them quite literally will never ever be satisfied.
the number of times throughout our day we trust and rely on something done by another human numbers in the thousands.
too many people have this weird fantasy that we can somehow have (or even need) “zero trust”, and for almost anything this is a fantasy of the paranoid and not at all based in coherent reality.
and even more importantly, even if we could, for soooo many things “zero trust” wouldn’t solve the problems anyway.
I have a coworker that is terrified of elevators, claiming them unsafe and that they're death traps, and takes the stairs up three stories to the office multiple times per day. He couldn't explain why he trusted the stairs or building more than the elevator, but his gut just tells him the stairs are safer and elevators are death traps.
He's also a firm believer that ballots are all fraudulent and so he doesn't vote because it wouldn't matter, the new world order has decided who is going to win years ago.
He will never believe differently, and he's a very rational person in other areas of his life and is a very talented developer. We can build a cpu with billions of gates and yet we can't safely pull a box up on a cable. I will never understand.
Tell your coworker that there is one thing you can do to make yourself safer in an elevator: If ever the elevator stops between floors with the doors open, do NOT attempt to climb out of the elevator.
I still have lots of questions:
1. Doesn't this system raise the possibility of coercion? For example, a goon or abusive spouse might, under threat of violence, force you to vote in a certain way and mark your ballot for them to audit afterwards. Isn't plausible deniability also one of the key desiderata of the election process?
2. The system allows me to mark my ballot paper and confirm that my vote was correctly counted, after the fact. But I still need to trust all the other votes uploaded to the website. Of course, the presence of independent election observers (who watch the counting process and the ballot boxes being moved around) would mitigate this fear.
reply