It would seem impossible to offer election confidence to the majority of people without a simple system that has this property.
If kidnapping and torture are on the table for your threat model. I think most people's voting record could be figured out with near 100% accuracy if they get access to your computer logins, emails, hacker news account, and all your social media accounts. Which according to your coercion model, they totally could. No need to go after your vote token specifically.
So unless the voting system singles you out in particular (which a random token wouldn't. Every vote would have one). Ruling it out as a solution because of a super low probability scenario seems like a misattribution of probability in the face of clear value (ie. easy and private verifiability by all parties).
Having secure elections is how we create a world where no one has to worry about coercers coming after them.
* In traditional families women will effectively lose their vote.
* Vote buying becomes possible.
* fellow party or church members start to check the votes.
The ability to use smartphones to take pictures in ballot box is already threatening secret ballot. Let's remove secret ballot so that we can have secret ballot is not valid solution.
> In traditional families women will effectively lose their vote.
People can lie. That's the only recourse they have today right? Would producing a "plausible deniability token" to show to adversaries suffice here to provide usable cover?
> Vote buying becomes possible.
This is already possible. Though you are right that it is not strictly verifiable today. But I would argue that we lack data on how many people would take money to vote X in todays system, and then vote Y instead and lie about it. If this set is tiny, then this problem doesn't grow much does it?
> fellow party or church members start to check the votes
This should simply be illegal. Bright line. Your vote is private and no-one or organization shall be allowed to force you to disclose it.
It seems again like the arguments here are sort of baby/bath water. There are outlier problems preventing this from being perfect. Yes. But the benefit of a truly verifiable election would inoculate us against mass election hacking. Which increasingly seems like a genuine threat we need to deal with. Are the outlier problems not worth the price of preserving democracy?
These are not outlier problems. I have been election official in Finland and it's not rare to see husband trying to make his wife to show the ballot. Smartphones are already creating problems that are hard to quantify.
The real solution comes from doing basic things right. Electoral observation can be improved. Paper ballots standard where ballots can be quickly counted using electronica counters from multiple suppliers (different parties can bring their own) can make voting both secure and safe.
The way I think about this though is that we should view these concerns as needing tailored (sometimes orthogonal) solutions. There is an analog here to testimony in court. Defendants have the right to know the evidence against them. Including the identity of witnesses and the nature of their evidence and statements. This often puts witnesses at risk for retribution. It's a huge problem. But do we do away with requiring this kind of evidence disclosure? Not having it makes it easy for evidence to be fabricated without consequence. And for defendants to not know who or what is being used against them in court. This would potentially have even more dire repercussions. So currently, we find other ways to help ensure the safety of witnesses and accept this major issue.
In the same way we might find other solutions to the issue of Spousal pressure. Opt-in voting receipt print outs. Support programs for domestic abuse, etc...
This is for sure a problem. And maybe even a major one (like witness safety). But overall, the alternative of having insecure and unverifiable elections is increasingly seeming like the more important issue to address. Most complex systems are about balancing tradeoffs. And it should be unsurprising, that a stable election system is too.
Whereas we know that there are (patriarchal) religious groups that apply huge pressure
Software can never prevent mass election hacking, as hardware can always deliberetly miss-implement your algorithm.
I'm also curious what is supposed to happen if you go check, and your vote doesn't match. Sure, the government investigates, but, a, why would you trust the government, and b, why would they trust that you weren't simply paid to cast doubt on the election?
I agree, but it's not necessary to kidnap the person. It's a scary word.
A personal token makes this too easy. For example, you can be "encouraged" to send an email to email@example.com with your national ID number and your token. Or the day after the election, in each office at work everyone can just meet and show their token while cheering for the current government.
I guess that in a some society people is more careful with the things they post and the things they like in fb, and the things they say in public. At least the vote can be (almost) secret, and they can disagree safely.
> you can be "encouraged" to send an email to firstname.lastname@example.org with your national ID number and your token
Would the system providing some sort of plausible deniability token give enough cover for this? Is this a problem at scale?
Also... they can do this to you for your email, and social media logins too right?
> Or the day after the election, in each office at work everyone can just meet and show their token while cheering for the current government.
I don't understand why this is fundamentally different than todays world where people wear MAGA hats or drive around with Obama/Biden bumper stickers. Sure it's not cryptographically verifiable. But it's certainly "good enough" for all practical purposes.
If each one has a secret passphrase, nobody can verify that the total is calculated correctly.
If people can choose their own passphrase, they can be forced to use one. I like "Fr33dom!"
If the passphrase is calculated automatically, just make the combination of the token with a different passphrase generate a nonsensical result (if you have 10 parties, generate a number between 1 and 100000 for security reasons), so people can't lie. And make people send the email with the national ID, token and passphrase.
Here in Argentina the old method (100 year ago) to vote was that everyone go to the local voting site, and everyone vote in public raising their hand, someone count the votes and send the result to the central location. (The historical details may be inaccurate. But it was something similar.)
Obviously, people can be forced to not go to vote, or people that voted against the local political chief can be pressure to change their votes, or never vote again, or just hit until they understand their error.
It was a long fight to get secret votes, some people even died for the right of a secret vote. I guess other countries have similar stories.
It's difficult to imagine the problems without a recent similar story in your own country. Let's assume you are from USA. Just imagine that during McCarthyism people that were requested testify in the committee has to first say their national ID, token and passphrase to be sure that they didn't vote for the Communist party. Anyone that refuses gets blacklisted automatically for national security reasons.
Different threats require separate considerations for sure.
To be crystal clear. I'm still for secret voting, and being able to lie about your vote if you want to. But without an ability for the voter to verify their vote, you must trust the entities themselves that are holding the election. Both that they are acting in good faith. AND that they managed to secure the election against outside tampering. The very people that you are worried might compel you to declare your vote are the ones running the election systems themselves in many situations.
We need to be able to operate with less trust here, not more.
> If each one has a secret passphrase, nobody can verify that the total is calculated correctly.
It's possible we are misunderstanding each other. There would be a verifiable ledger. With opaque tokens for each vote. The total can be verified by counting. Just like normal. We could use our signature method of choice to sign and verify the integrity of each vote and all the votes. The body holding the election would be able to verify the total counts are correct and not tampered with.
For a specific vote, an opaque identifier that nobody except the voter can resolve, provides a mechanism for the voter to self verify their vote was counted in the way they expected.
A passphrase was just one idea to avoid printing the token on your vote receipt. But if we really want to go down the rabbit whole of having cover. There are many other ways to provide plausible deniability. You could opt to not get a print out of your token. And your deniability would be you don't have it, and you can simply lie about which vote is yours (even though you know the one that is yours).
> It was a long fight to get secret votes
I'm still saying we keep voting secret. What we are discussing is the ability for a voter to verify their vote was counted. But it's still meant to be secret. In fact, something analogous to the 5th amendment to the constitution could help enshrine the right to a private secret vote as a fundamental right.
> Just imagine that during McCarthyism people that were requested testify in the committee has to first say their national ID, token and passphrase to be sure that they didn't vote for the Communist party.
We make it a constitutional right to have your vote be secret. Make this clearly illegal. If you are worried about the central government not obeying laws, then nothing really helps you. The central government ultimately wields the final say in all matters here. They can put you to death if they like. A verifiable election system is meant to help ensure we never devolve to a government that does what you are worried about.
Ultimately all of your examples about being forced to declare things apply also to your credentials to your personal devices and online account. All of which contain more less enough information to both figure out what your vote was, and much more.