Provably Honest Online Elections are Possible
Posted by Daniel Larimer on .Moving elections online is a very controversial subject because it is something everyone would like, but it is not trivial to implement in a provably honest manner. There are countless articles around the internet that throughly document how even electronic voting or vote counting is unverifiable and cannot be trusted. The worries about electronic voting are so strong that many people suggest that only a manually counted paper ballot system can be trusted. While many may be content to accept paper ballots as the “least bad option”, I would like to present new approach that is provably honest.
Paper Ballots are not Provably Honest
Paper ballot systems are slow, expensive, and error prone even when no fraud is at play. People have been rigging paper ballot systems since they were invented. At a small scale paper ballot elections can appear to be honest to most people’s satisfaction only because everyone thinks they can observe the entire process. Once the system attempts to scale beyond a couple hundred people things start to break down. You end up having to rely on others to observe on your behalf. You end up with recounts and fake ballots. In effect, the system can no longer be accepted as honest beyond a reasonable doubt.
I would argue that a paper election can be fully rigged even at a small scale with 100 people in a room observing the entire process. It all comes down to the fact that magicians such as David Copperfield have perfected the art of illusion to the point that they can make cars appear from nowhere in front of a live audience. He can cause a dozen people to disappear from a raised platform with observers on all sides. We know this level of illusion is possible, and yet those who demand paper ballots like to pretend that no one would ever practice these techniques to make ballots disappear (or appear) from no where.
Whether or not you believe that there is a great conspiracy to rig paper elections, the fact remains that a provably honest online election is cheaper, more convenient, and therefore will allow more people to participate. Millions of people are denied an opportunity to vote because they have business travel, sickness, lack transportation, or are otherwise busy on election day.
Voting Machines cannot Be Trusted
If paper ballots with manual counting are flawed, then electronic ballots with automated counting is worse. It all boils down to one simple fact, the software and hardware are black boxes whose actual operations are unknowable. It would be like asking all of the observers of a paper ballot election to rely upon a video feed rather than direct observation. We know that it is much easier to do magic in front of a video camera than in front of a live audience.
There is no way to know whether or not the machines are accurately counting all paper ballots they scan. At the end of the day the voting machines are validated by manually counting a fraction of the ballots as a “spot check”. This manual validation is subject to the same kinds of illusion and deception as direct paper ballots and full manual counting.
The Real Problem
The reason provably honest elections are not possible under existing systems is because the very requirements placed upon the election process are flawed. I would go so far as to suggest that the “definition” of fair voting systems was crafted specifically to enable elections to be stolen regardless of what technique you use. If we want to create a provably honest system then we must first review the requirements that most people place on any voting solution:
Requirement #1 - Privacy
Elections are normally held because there is a controversial topic that needs to be decided. Peer pressure could bias election results if voters are unable to keep their vote a secret. Privacy is a good requirement and can be maintained in a provably honest system.
Requirement #2 - Unprovable Secret Ballot
This requirement is the one that undermines the ability to create provably honest voting solutions. The idea here is that all ballots are anonymous and may contain no identifying information that would allow someone to prove who they voted for. If you cannot prove to someone else that your vote was cast a certain way, how in the world are you going to prove it to yourself?
If we remove requirement #2, then, and only then, are provably honest elections possible. It actually becomes trivial and can be implemented with both paper and electronic systems. Every voter would know their secret ballot number and every voter would be free to examine all ballots. A voter would know their vote was included because they could uniquely identify their ballot and verify the vote was cast.
The Irrational Justifications for Unprovable Ballots
The requirement for unprovable ballot is not arbitrary and if you attempt to remove this requirement you will quickly be bombarded with dozens of objections. These objections mostly boil down to two primary concerns: voter coercion and vote buying.
Voter coercion would happen if your union boss, friends, political party, church or local gang threaten to harm you unless you provide proof that you voted a certain way. For the purpose of this article I will assume physical harm is already against the law and moral code of society and that society as a whole would not tolerate wide spread open violent coercion of voting.
Any organization that can violently coerce voters on such a wide scale will have the power to coerce the elected officials and government employees after they are elected. The general population will know the outcome of the election is not legitimate and that the government is not legitimate. This would entirely negate the purpose of elections which is to give the government the appearance of legitimacy and pacify the population. Without the appearance of legitimacy the government loses power and will eventually be overthrown.
Attempting to avoid voter coercion through the use of unprovable ballots is a red herring. It is just as easy to coerce likely detractors to stay home where their vote can provably not be counted. Whether you force someone to vote for you or prevent them from voting against you the outcome is almost the same.
Non violent coercion is another option that people fear. This takes the form of shunning. You can be fired from your job, kicked out of your church, or divorced by your spouse. There is nothing morally wrong with shunning; however, it can still be a powerful means of getting others to behave against their own beliefs.
Shunning would not change the outcome of an election because if the shunners are in the minority then their shunning power is limited, if they are in the majority then they will probably win the election anyway. Shunning can work both ways and in fact is the very thing that will prevent people from even asking to know your vote. A society that shuns anyone who demands proof of your vote is a society where an unprovable ballot system is unnecessary. Considering the wide spread social acceptance of the need for secret ballots, it is unlikely to become socially acceptable to ask others to prove who they voted for. In fact it could be as taboo as asking someone for a naked photo as a condition of employment.
Vote Buying
Not all coercion is negative or passive, it can also be positive. People may even use a carrot and a stick at the same time. It never takes long for people to bring up the concern about vote buying. The theory is that unprovable ballots prevent people from selling their vote. Once again this argument holds no water upon closer inspection.
Lets assume that the large majority of people are honest individuals. If they make a promise in exchange for payment they can be trusted to fulfill that promise even if no one is looking. Under this assumption, someone looking to buy votes in mass can simply factor in some percentage of dishonesty. It could even be as high as 75% dishonesty. The dishonest individuals vote how they originally intended and thus can be removed consideration. The remaining 25% that take the payoff are actually contributing to your attempt to buy the election. In a close election that could easily make all the difference in the world.
Paying people to vote a certain way may not even be the most effective approach. You can easily pay people not to vote if they are known supporters of your opponent. You can even prove that they didn’t vote by keeping them busy on election day.
So we can see that for all practical purposes hard evidence of your vote is not necessary to buy votes; therefore, designing a voting system around the requirement that this evidence shall not be possible is not solving any problems. It is the moral equivalent of putting a lock on a door next to an open window.
Vote Buying is OK
I have already shown that vote buying cannot be stopped, but perhaps trying to prevent it is another fallacy. What is wrong with selling your vote anyway? Perhaps there is something wrong with trying to stop someone from selling their vote!
People generally accept that no one may judge your reasons for voting as you do. It you want to vote entirely based upon the color of a candidates skin then that is your right. If you are entirely uneducated and know nothing about the candidates or their policies it is still your right to vote based upon a coin toss. Why then do we presume that money is an unacceptable motivator?
In reality almost every election is about buying votes. Politicians make promises to redistribute tax payer money in order to win votes. Most people who vote for a politician believe the promise and thus a politician buys a vote with an IOU that is easily defaulted on without consequence even though the vote is irreversible. A politician that pays you up front is at least honest and you are certain to get some benefit.
This brings up another reality about vote buying. Whether you pay before the vote or after the vote, one party must trust the other. If the parties attempt to draft a contract then it would be an unenforceable contract under the government courts. Without enforceability of the contract, vote buying falls back to the same trust-based system we have today. The parties would have to resort to crypto-currency smart contracts to have any kind of assurance.
A vote can be viewed as a property right. It is yours to control and cast as you see fit. If you attempt to restrict others from free exercise of their right then you become an aggressor.
Direct Vote Buying is Uneconomical
Even after showing that vote buying cannot be stopped and that attempting to stop it is wrong, it can still be argued that it is all irrelevant because there are more cost effective ways to get the same result.
Paying someone to vote against their own best interest is far more expensive than deceiving them into believing that it is in their interest. If I know a candidate will raise my taxes by $1000 per year, it will take more than $1000 to convince me to sell my vote. On the other hand if the candidate can convince me that paying an extra $1000 is actually in my best interest then he can get my vote “for free”. This is where the art of propaganda comes to play.
Attempting to pass a $1000 per year tax increase on a population largely against it would cost billions or trillions of dollars to “buy off” which would effectively negate the tax increase. Instead politicians convince you to vote for healthcare while understating the costs. In the game of propaganda it comes down to a battle of money. A well funded candidate can “buy” far more votes with a propaganda campaign than he could with direct cash payouts.
Once again we see that there is no compelling reason to make votes “unprovable”. I would go so far as to say that the arguments used to defend the unprovable ballot are an example of well executed propaganda designed to convince voters to reject the only truly accountable voting systems out there and support systems that are more easily corrupted in undetectable ways.
Provably Honest Online Elections
Once we eliminate the requirement that voters be unable to prove their vote to anyone, the process of designing a provably honest online election system becomes trivial. It can be broken down into the following basic steps:
Step 1: Uniquely Identify Eligible Voters
In this step an individual will generate their own private key and then present the corresponding public key to an identify verifier which will sign their public key along with pertinent information such as where the voter lives. The voter will have the same key verified by each candidate in the election along with some independent verifiers.
Step 2: Distribute Ballots Anonymously
In this step an individual submits their identity public key along with the signatures of multiple verifiers certifying their location to a registrar along with a blinded token that will be signed by the registrar. The blinded token is a cryptographic technique that allows someone to sign something without knowing what it is they signed and then later verify their signature on the token. If the location and identity are unique then the registrar signs the blinded token.
After getting their blinded token signed, the voter can generate a new private key for their ballot. They then submit their new key and the unblinded token back to the registrar which will verify that they did sign the token. The registrar will then sign the ballot.
At this point in time the voter has a signed ballot key that no one can tie to their real world identity. Neither the ID verifier nor the registrar can tie the voters ballot key to their real world identity.
A voter would get their ballot key signed by one registrar representing each candidate. Each registrar (and therefore candidate) will know that all ballots are unique and belong to a verified and authorized voter but they do not know which voter.
Step 3: Sign and Broadcast Vote
The voter will take their signed ballot key and use it to sign a message indicating whom they would like to vote for. This message will then be broadcast to computers all over the internet which could include everyone in the world interested in validating the results.
Step 4: Count the Results
Every user will now have the ability to independently verify that every ballot is signed by the proper registrars and that every vote is properly signed and counted. Every voter can prove that their vote is properly counted because they have the power to sign a message that would change the vote. If every single vote was broadcast and committed to the public record using block chain based time-stamping then it will become impossible for anyone to exclude votes or to come to an ambiguous conclusion.
Secure at the Informational Level
I have only scratched the surface on provably honest elections and will probably provide some follow up posts that addresses this topic in greater depth. For starters I would like to explore the notion that this voting system isn’t about open source, it is about open information. You don’t need to trust the hardware, software, or any other product provided by a third party because the publicly available information is enough to validate the election. You could build your own hardware, write your own software, and verify every byte of information yourself. This goes far beyond open source because there are no “secrets” that need to be guarded for the system to be secure.
Hacking Individual Computers
Many people worry about the security of their computers and the effect that would have on an election. This system would be subject to ballot private keys being compromised which would allow the attacker to change individual votes. This is no different than the security considerations that people must consider when using crypto currencies. It is easy to see that crypto currency targets are far more valuable than compromising someones vote. The crypto-currency community is rapidly advancing the ability for individuals to securely manage their keys.
If a private key were to be compromised a voter would be able to observe their vote change AND be able to change it back. People would be able to measure the degree of compromise and assess for themselves if it was greater than the margin of error in the election. This is far better than todays system where it is impossible to detect a compromise or the extent of the compromise.
When a hacker attacks an individuals computer, the likely outcome is that one vote is not counted. A voter would detect that they have been compromised when they see their vote change and they will revoke their ballot.
When a hacker attacks a polling place, the likely outcome is thousands of votes compromised without detection. The cost per vote of attacking a polling place is much cheaper than the cost of attacking thousands of individual computers.
Eliminating Mistakes
Each and every year millions of votes are not counted because of mistakes made by voters. Unfortunately voters don’t have any way of knowing that their vote was excluded because they filled out the ballot wrong. With online voting there are no malformed ballots and everyone can double check that they did it right.
Increasing Turnout
When you increase voter turnout by making voting easier you also increase the number of people you have to manipulate, buy off, hack, or otherwise compromise. The increase in turnout as a result of increased convenience would likely outweigh the number of votes “lost” because of a hack. The end result is that the result is more accurate.
Conclusion
No voting system is perfect and when people are involved there is always room for mistakes. What matters is the relative performance of the systems as well as the integrity of the result. It is my firm belief that voting from home with a transparent voting system is an order of magnitude more secure than any voting done at a polling place.
It is not who votes that counts, it is who counts the vote.
Related Articles: Aggregate Public Opinion Matters