If enough people cry foul to rule out a large group collectively lying or forgetting their confirmation numbers, fraud would be much easier to establish and localize. Moreover, requiring each independent database of votes to match to within some margin would also decrease the likelihood of fraud by requiring collusion between both organizations.
EDIT: Note that the confirmation number would be issued to you anonymously and sans receipt - there would be no way to prove your vote - you could have found some random confirmation number, and no recourse for a single citizen crying foul. The point, rather, is that if several hundred or thousand individuals noticed that their vote seemed to have changed, the likelihood that they were all making it up or forgetting their confirmation numbers would decrease substantially.
As an example, I worked with Michael Clarkson on an implementation of Civitas:
The problem is they are far too complicated to explain to voters which makes them unlikely to be adopted and unlikely to be trusted. Having a secure vote is obviously the primary goal, but having a vote that people trust is pretty important too.
This system was designed by a couple cryptographers, one of them Ron Rivest of RSA fame. For details on this and a couple other simple voting systems, see here:
'DOZENS' OF COLORADO ROMNEY VOTERS CLAIM MACHINES CHANGED VOTES TO OBAMA
Actually, he'd be much less credible than an anonymous 4chan poster without video.
The trick to these systems is there's some one-way hash done. This requires a lot of ballots, with enough hash collisions to ensure one's ballot gets lost within the herd.
Alas, elections in the USA are precinct-based, typically 1 to 1,000 voters in size. And our ballots are complicated. My ballot this election had 20 issues.
So combinatorially, it's very likely my ballot will be utterly unique within my precinct. Meaning my ballot is not secret.
Edit: Clarification at end.
The count needs to be verifiable, and needs to be simply comprehensible.
The paper process has the following check points:
* the ballot box is seen to be empty at the beginning of the process
* the turnout can be collected and collated by the candidates nominees during the day
* the first count is the ballot count which the candidate's nominees can check against the recorded turnout
* the papers are sorted for the second count, publically - and the candidates nominees do what is called 'a box count' from which we can predict the final result
* the ballots are bundled and tallied in public
* disputed papers are agreed by the candidates and the candidates representatives
* the candidates have an automatic right of recount if the margin is below a certain amount, and at the returning officers discretion otherwise
On top of that we have collected voter id information and Reading cards so we can estimate the result based on the marked register after the event.
What this means is that not only is the result verifiable, it is publicly verifiable by almost anyone with basic high school maths.
The reason this is important because I have worked elections with Nazi candidates - and I worked in Belfast when the civil war was on and the degree of trust across the political communities was very low.
The critical purpose of the public count is not to establish who has won the election, but to bind the losers, and their voters into the result.
If I had to stand up on a platform and the Nazi said "they used these machines to take away our vote" and my only response is to start talking about how there are some papers that show if you have hard to factor prime numbers you can generate some low-collision hash or some other random klingon space talk, then it is game over.
The proportion of the UK who withdrew their consent to be governed during the 30 years of the war in Ireland was less than 1% - rising to 10% of Northern Ireland. Making it easy for a tiny number of people to be pulled out of consent by political extremists is crazy, crazy, crazy.
The 2007 Scottish Parliament election in the UK had a crappy ballot (edited originally said 9% which was wrong an error rate 4 times higher than expected - think of Florida's hanging chads across the whole country). If 26 votes had gone another way in one constituency we would have had a Labour Government not a Scottish National Party one.
This ballot paper was combined with electronic counting and it was a total shambles.
As a tallyman on the night I could not endorse or verify the result at all - we had no idea what the result was - except what the machine said it was. Everyone was all geared up for legal challenges - but the leadership of the two parties got together and agreed that everyone should walk away and we would let the chips fall as they did.
I never want to see that again - and we don't hate each other in Scotland like you American's do.
Paper ballots, paper counting is the way to go. (Don't get me started on how your electoral boundaries operate - or the fact that you don't have an independent electoral commission).
I strongly agree with everything you said, and am thus interested in learning more. I had no idea the Scottish election was so ridiculously bad. Is there anyone campaigning against this in the UK I can donate money to, or lend my support to?
Paper ballet (and the process you outlined behind it) is important to prove beyond all reasonable doubt to the losers and their voters that the election was fair. The primary purpose of an election is to be seen as fair. Any reasonable doubt at all and legitimacy is quickly eroded and then you may as well not have bothered with democracy at all.
On reading it I see that I have misrepresented the figures from memory:
2.88% of regional/list ballots were invalid
4.075% of constituency ballots were invalid
1.83% of local government ballots were invalid
These were against a historical spoilt paper rate of about 0.66%
(I have edited the original post to correct it)
The regional and constituency ballots were on the same physical piece of paper and if you voted a full ticket (eg SNP/SNP or Labour/Labour) there was only one way to do it.
For small parties (Greens, SSP) which only ran on the regional list you had to split the ticket. And there was one valid way to vote Labour/Green and one invalid way - so the small parties were much more liable to get invalid votes. The number of independent/small party MSP's was lower than expected.
I'll weakly support ballot optical devices at poll sites in many USA jurisdictions, because our ballots can be quite complicated, until someone shows me that hand counting is generally feasible. With 30 issues on a ballot, sort / stack / count can get ugly.
Aside: Thank you for your work on elections. I wish more geeks would actually work an election, or at least observe, before spewing about how to fix voting systems.
I can speak for what happens in Portugal. We use the d'Hondt system with paper ballots, and it is not uncommon to have around 15 candidates on a ballot in certain elections, though we have no write-ins - only one checkbox per candidate.
In the last elections there were about 4,000 polling stations. Since about 6,000,000 people are allowed to vote, this is around 1,500 people per polling station on average (obviously, the distribution is not uniform). Turnout seldom exceeds 50%, so in practice the number of votes is much smaller.
Votes are counted by hand - no automation at all - at each polling station. Usually, within about 5-6 hours 99% of the votes have been tallied, with the remainder done with by the morning after.
I would say it is demonstrably workable to count votes by hand, even with a large number of candidates. I concede that write-ins may present a difficulty, but honestly: since (afaik) in the USA you can only vote on designated candidates, how difficult can it be to have all of their names appear on the ballot?
In the US, I think most places let you write in whoever you want. If they get enough votes, they win. Google "Lisa Murkowski".
The other problem is that unlike parliamentary systems, in the US we vote for multiple things and not which party/who your MP is. These are some of the things on the ballot:
1. President & VP
3. Congress Representative
5. Ballot measures
Unless each of these is on a different sheet of paper, counting them might be hard. Don't get me wrong though. I think that we should be using paper ballots. What does it matter if it takes 2 days instead of 1 to figure out who won.
Yes, I would imagine write-ins could complicate the situation considerably (thanks for the link, btw!) - though, if the proportion of write-ins is small, it probably won't matter much.
> The other problem is that unlike parliamentary systems, in the US we vote for multiple things and not which party/who your MP is.
This also happens in Portugal; we do use different pieces of paper (and different ballot boxes) for each of the positions we are voting for.
> I think that we should be using paper ballots. What does it matter if it takes 2 days instead of 1 to figure out who won.
Yes, I totally agree with you. There are more important things than a speedy count, and resilience to fraud is certainly one of them. And as far as costs go, they are probably dwarfed by the amount spent on the campaign. I really don't understand why anyone would be so eager to speed up the process, except for shady motives.
And, yes, we use one sheet of paper per election. On election day there are three separate elections (municipal, provincial, parliament) and optionally one or more referendums.
> I wish more geeks would actually work an election, or at least observe, before spewing about how to fix voting systems
Its the same every election - a hundred irrelevant cryptographically schemes...
I don't think this is true, since there's a massive correlation between ballot positions and they're not randomly distributed. Since the parties tend to take positions on amendments, bonds, and issues, that correlation extends to those as well.
There are certainly going to be unique ballots per precinct, and really tiny precincts like Hart's Location and Dixie Notch or whatever are subject to it too, but it's not "very likely" for the average US voter.
I dropped off my wife's ballot. It is totally normal for one person to drop off multiple ballots at the box. It would even be hard for you to notice multiple ballots being dropped. I did our two with one gesture.
The vote buying cow has already left the barn.
So it's far more important to let citizens verify that their vote was counted accurately, with some sort of anonymizing hash.
I did the same thing with my wife's ballot this morning, and I saw multiple other people dropping more than one ballot as well.
a) the secret ballot was introduced into the US (originally as the "Australian ballot") many years after the ratification of the Constitution
b) no amendment has prescribed it
I find it hard to quarrel with the judge. I do consider the secret ballot an excellent idea, but I don't see it as constitutionally mandated.
Nice to see Civitas would use a tamper evident log file (rolling temporal hash). Alas, generally, encoding the order of the ballots cast destroys voter privacy.
I stand by my earlier comment (cross thread): These crypto based voting systems rely on hash collisions to hide individual ballots within a herd of ballots. Because Civitas encodes votes as ranked preference (to support winner takes all, Condorcet, approval voting), there's even more information contained within each ballot, decreasing the likelihood of a hash collision, increasing the likelihood of inferring each voter's unique ballot.
Something did occur to me, however. Right now, all races are encoded onto a single ballot. Making it more likely that every ballot within a precinct is utterly unique.
But if each race was split onto its own ballot, then a crypto based voting system might be workable.
As loathe as I am to validate a crypto-based scheme in any way, these schemes aren't going away, no small part because the geeks keep pushing technological fixes for perceived societal problems. So I'm somewhat resigned that I should make the most of it, help make sure the worst parts are mitigated.
Then stick all the votes up on a server somewhere. Let us go and check our votes are in the list. We could then have informal verification and audits of the counts.
I assumed that if anything it was to prevent people being pressured in to voting a particular way (eg an abusive spouse) - what' wrong with selling your vote, surely that's still democratic: you've chosen to accept a particular candidate based on the outcome for you.
There is no reason to prevent someone from verifying that their vote was counted -- not vote buying (or the presumed ease thereof), not vote tampering or stuffing (really?), not potential outside coercion of any kind. Laws exist for all of these things already, and would not suddenly become unenforceable or ineffective in the presence of vote verification.
Coercive voting has disappeared because it is impossible for the coercee to prove to the coercer that they complied.
My granny used to tell of tying red ribbons (red being for the left) on the goats in the country and her mother getting a lift to the polls from the Tories (when women first got the vote) and voting Labour.
Verifying your vote cannot relate to ballot stuffing at all - so you can prove to yourself that you voted X, but I have 1,000,000 made-up votes for Y.
Besides just being distasteful, just handing over powerful positions in our society to the highest bidder seems like a formula for brazen abuse.
There is no valid reason, moral or technical, for preventing voters from verifying their votes were accurately counted, and verification does not enable any new crimes – but it does prevent the current crime where someone's vote is either miscounted or not counted at all.
Personally, I would like to have a receipt because I think the danger of my vote not having been recorded is greater than the danger of someone demanding my vote receipt off me.
Sure they do: use a lie detector and ask them.
Honestly, the situation you describe is the problem, not the presence or absence of verifiable voting. If you've got the mafia threatening your family, voting is the least of your problems.
What happens when I stuff the ballot box with a million non-existent votes?
Oh, so you voted correctly and you can prove it. Whoopy do!
> Let us go and check our votes are in the list. We could then have informal verification and audits of the counts.
You have the square root of bugger all - the integrity of the total count is what counts - not the individual votes.
Vote stealing and ballot rigging is a well understood human phenomenon - it is a solved problem.
Sprinkling some poorly thought out computer pixie dust on it is not even the beginning of an answer.
I think this verification may already be a reality. The alternative is to disallow any form of verification, as with the Reddit poster, but then we lose the ability to perform checks on the voting procedure, and would never have known about this current anomaly.
What's missing, though, is the proof that who you voted for is who the vote was internally counted for.
Due to anonymity you can't individually prove a confirmation number belongs to you - you could have found one on the street or made up some random number, but if 10000 people claim that their initial vote does not match the confirmed vote, it's worth looking into more carefully.
That'd be a felony in Wisconsin, presumably for that sort of reason. http://www.nbc15.com/home/headlines/Wisconsin_GAB_Is_Felony_...
Another possibility is to make the duress an option. You can fill out a fake ballot for your duress code if you want, but you aren't forced to(since most people don't need to worry about it)
So that people can't bribe or blackmail you into voting a particular way.
The ones I know are well armed, but about as non-violent as you can be and not be a Quaker.
The point is: Neither has he encountered union thugs beating somebody up because he was against unionization. It's a ridiculous myth.
But I don't know about 'union thug' being a myth: lots of actual violence back in the dark days of the last century. Carnegie brought in an army to bust up the union and it wasn't because they were meek lambs.
No, it was irony.
I know it's not foolproof as you could request a new ballot, but I'm guessing those buying votes aren't the smartest folk. Plus you'd be crazy to not accept the money upfront, as there's no way they're actually going to pay out after the fact and it's not like you can take someone to court for not upholding their end of an illegal bargain.
For example, voting machines could drop duplicate receipts into a bucket that voters are free to rummage around in.
The voter must retain her vote (A or B) in human memory, which cannot be externally verified, except by brain scan, etc... but that detail is rather unsolvable.
Punchscan is a bit impractical for verifying large ballots, but large contested ballots are rare.
I wonder what (if any) pitfalls it has, other than the increased complexity and less obvious correctness (i.e. it would be hard to convince a non-mathematically inclined person that it works properly).