What would be wrong with a voting machine assigning you a UUID that you can print out and verify your vote on a website where everyone else's 100 million votes are displayed?
When ballots are not secret, they can influenced by social, political, or economic actors through punishment and reward. For example, voters in many places used to face extreme peril if they voted against the candidate picked by their social group, party, or union. This peril ranged from reduced social standing, to loss of employment, and even physical violence. As such coercion is contrary to the democratic objectives of an election, secret ballots were introduced to ensure ballots represent the free will of the voters.
There are mechanisms by which one could both keep the ballot secret and allow a public tally. But to avoid hacking, like the floating-point vote-value in GEMS outlined in another story, the system does require bullet-proof crypto.
Regardless of how the ballots are counted, I do believe there should always be paper backups, scanned, and filed so that citizens can examine them digitally and in person if necessary. With that system one could spot-check any suspected irregularity. Only with such physical redundancy would I trust digital voting systems at this point.
Sometimes there's no substitute for good old dead trees.
Article 21.3 of the Universal Declaration of Human Rights states, "The will of the people...shall be expressed in periodic and genuine elections which...shall be held by secret vote or by equivalent free voting procedures."[19]
Article 23 of the American Convention on Human Rights (the Pact of San Jose, Costa Rica) grants to every citizen of member states of the Organization of American States the right and opportunity "to vote and to be elected in genuine periodic elections, which shall be by universal and equal suffrange and by secret ballot that guarantees the free expression of the will of the voters".[20]
Paragraph 7.4 of the Document of the Copenhagen Meeting of the Conference on the Human Dimension of the CSCE, obligates the member states of the Organization for Security and Cooperation in Europe to "ensure that votes are cast by secret ballot or by equivalent free voting procedure, and that they are counted and reported honestly with the official results made public."[21]
Article 5 of the Convention on the Standards of Democratic Elections, Electoral Rights and Freedoms in the Member States of the Commonwealth of Independent States obligates electoral bodies not to perform "any action violating the principle of voter's secret will expression."[22]
You send it to the person who it belongs to. Then when the want to check if their vote went through properly, they can look up the vote that corresponds to their UUID.
Okay. What prevents someone else from accessing the UUID, either before or after its sent to the person it belongs to? I could be missing something, but I think this is still vulnerable to coercion or vote selling.
Threats of physical violence? Bribes? There are ways to design the system that guarantee that the voter can verify they voted but can't prove who they voted for. No need to keep the UUID secret. It's very desirable to have a system that we can trust even if conditions aren't necessarily antagonistic.
BTW, thanks for engaging in this discussion. It's important and it's helping me rethink through all of this.
Those are problems with all voting systems. In the current system someone could Threaten/Bribe you to take a selfie with your ballet after it has been filled out.
Okay. I'll grant that there are likely ways to potentially coerce or sell votes in any system. If there are straightforward, inexpensive ways to make it more difficult to do so, we should.
The poll workers can and will force you to do that. They take great pride every election in telling the local TV news types doing human interest stories that taking pictures of ballots accomplishes little other than pissing off the 80 year old poll workers who now have to work even harder. Some probably do successfully slip thru the system.
Another option is making a fake ballot. The local newspaper used to helpfully publish their suggestion of how a devout left wing progressive would fill out their ballot. They're currently the establishment, so they're likely to be the largest problem, and its solved right there.
You still have to trust the machine that prints it. Which, I will admit, is still better than the current system. However, there are public ledger voting systems with stronger anonymity guarantees. So, my opinion is that if we're going to do it all over again, we might as well do it right.
Good point. That'd be an issue with any verification system isn't it?
Edit to add: If you can confirm that all of the ids are unique and that the total number of ids are correct, that would go a long way towards verification, along with checking arbitrary receipts against the results, regardless if the ids are pre-printed or printed afterward.
I'd prefer not having any printers involved though. Pre-printed ballots would work just fine and there's one less piece of equipment involved during the actual vote.
Systems that provide receipts effectively do this. There are some details to ensure that the receipt/verification system doesn't reveal the actual vote to prevent vote selling or coercion. See ThreeBallot[0], Scantegrity[1], and Prêt à Voter[2] for examples.
The machine could just give you the UUID of a previous vote for the same candidate, and change your vote to another candidate. Using a HMAC with a personal secret key would work.
