Agreed. There are a couple of other papers as well.
The problem is they are far too complicated to explain to voters which makes them unlikely to be adopted and unlikely to be trusted. Having a secure vote is obviously the primary goal, but having a vote that people trust is pretty important too.
This is all totally irrelevant - I speak as a former candidate for both the UK and Scottish Parliaments.
The count needs to be verifiable, and needs to be simply comprehensible.
The paper process has the following check points:
* the ballot box is seen to be empty at the beginning of the process
* the turnout can be collected and collated by the candidates nominees during the day
* the first count is the ballot count which the candidate's nominees can check against the recorded turnout
* the papers are sorted for the second count, publically - and the candidates nominees do what is called 'a box count' from which we can predict the final result
* the ballots are bundled and tallied in public
* disputed papers are agreed by the candidates and the candidates representatives
* the candidates have an automatic right of recount if the margin is below a certain amount, and at the returning officers discretion otherwise
On top of that we have collected voter id information and Reading cards so we can estimate the result based on the marked register after the event.
What this means is that not only is the result verifiable, it is publicly verifiable by almost anyone with basic high school maths.
The reason this is important because I have worked elections with Nazi candidates - and I worked in Belfast when the civil war was on and the degree of trust across the political communities was very low.
The critical purpose of the public count is not to establish who has won the election, but to bind the losers, and their voters into the result.
If I had to stand up on a platform and the Nazi said "they used these machines to take away our vote" and my only response is to start talking about how there are some papers that show if you have hard to factor prime numbers you can generate some low-collision hash or some other random klingon space talk, then it is game over.
The proportion of the UK who withdrew their consent to be governed during the 30 years of the war in Ireland was less than 1% - rising to 10% of Northern Ireland. Making it easy for a tiny number of people to be pulled out of consent by political extremists is crazy, crazy, crazy.
The 2007 Scottish Parliament election in the UK had a crappy ballot (edited originally said 9% which was wrong an error rate 4 times higher than expected - think of Florida's hanging chads across the whole country). If 26 votes had gone another way in one constituency we would have had a Labour Government not a Scottish National Party one.
This ballot paper was combined with electronic counting and it was a total shambles.
As a tallyman on the night I could not endorse or verify the result at all - we had no idea what the result was - except what the machine said it was. Everyone was all geared up for legal challenges - but the leadership of the two parties got together and agreed that everyone should walk away and we would let the chips fall as they did.
I never want to see that again - and we don't hate each other in Scotland like you American's do.
Paper ballots, paper counting is the way to go. (Don't get me started on how your electoral boundaries operate - or the fact that you don't have an independent electoral commission).
I strongly agree with everything you said, and am thus interested in learning more. I had no idea the Scottish election was so ridiculously bad. Is there anyone campaigning against this in the UK I can donate money to, or lend my support to?
Paper ballet (and the process you outlined behind it) is important to prove beyond all reasonable doubt to the losers and their voters that the election was fair. The primary purpose of an election is to be seen as fair. Any reasonable doubt at all and legitimacy is quickly eroded and then you may as well not have bothered with democracy at all.
On reading it I see that I have misrepresented the figures from memory:
2.88% of regional/list ballots were invalid
4.075% of constituency ballots were invalid
1.83% of local government ballots were invalid
These were against a historical spoilt paper rate of about 0.66%
(I have edited the original post to correct it)
The regional and constituency ballots were on the same physical piece of paper and if you voted a full ticket (eg SNP/SNP or Labour/Labour) there was only one way to do it.
For small parties (Greens, SSP) which only ran on the regional list you had to split the ticket. And there was one valid way to vote Labour/Green and one invalid way - so the small parties were much more liable to get invalid votes. The number of independent/small party MSP's was lower than expected.
Yup. I'm totally, utterly against electronic voting of any form.
I'll weakly support ballot optical devices at poll sites in many USA jurisdictions, because our ballots can be quite complicated, until someone shows me that hand counting is generally feasible. With 30 issues on a ballot, sort / stack / count can get ugly.
Aside: Thank you for your work on elections. I wish more geeks would actually work an election, or at least observe, before spewing about how to fix voting systems.
The key observation is that, since counting votes is an inherently distributed problem (with a comparatively simple centralized step at the end), you can always deal with it by adjusting the number of polling stations.
I can speak for what happens in Portugal. We use the d'Hondt system with paper ballots, and it is not uncommon to have around 15 candidates on a ballot in certain elections, though we have no write-ins - only one checkbox per candidate.
In the last elections there were about 4,000 polling stations. Since about 6,000,000 people are allowed to vote, this is around 1,500 people per polling station on average (obviously, the distribution is not uniform). Turnout seldom exceeds 50%, so in practice the number of votes is much smaller.
Votes are counted by hand - no automation at all - at each polling station. Usually, within about 5-6 hours 99% of the votes have been tallied, with the remainder done with by the morning after.
I would say it is demonstrably workable to count votes by hand, even with a large number of candidates. I concede that write-ins may present a difficulty, but honestly: since (afaik) in the USA you can only vote on designated candidates, how difficult can it be to have all of their names appear on the ballot?
In the US, I think most places let you write in whoever you want. If they get enough votes, they win. Google "Lisa Murkowski".
The other problem is that unlike parliamentary systems, in the US we vote for multiple things and not which party/who your MP is. These are some of the things on the ballot:
1. President & VP
3. Congress Representative
5. Ballot measures
Unless each of these is on a different sheet of paper, counting them might be hard. Don't get me wrong though. I think that we should be using paper ballots. What does it matter if it takes 2 days instead of 1 to figure out who won.
> In the US, I think most places let you write in whoever you want. If they get enough votes, they win. Google "Lisa Murkowski".
Yes, I would imagine write-ins could complicate the situation considerably (thanks for the link, btw!) - though, if the proportion of write-ins is small, it probably won't matter much.
> The other problem is that unlike parliamentary systems, in the US we vote for multiple things and not which party/who your MP is.
This also happens in Portugal; we do use different pieces of paper (and different ballot boxes) for each of the positions we are voting for.
> I think that we should be using paper ballots. What does it matter if it takes 2 days instead of 1 to figure out who won.
Yes, I totally agree with you. There are more important things than a speedy count, and resilience to fraud is certainly one of them. And as far as costs go, they are probably dwarfed by the amount spent on the campaign. I really don't understand why anyone would be so eager to speed up the process, except for shady motives.
In Sweden people can also write whichever party they like and there are no problems counting those votes by hand. We get the preliminary result after 3 or 4 hours, and then they are all recounted the next day.
And, yes, we use one sheet of paper per election. On election day there are three separate elections (municipal, provincial, parliament) and optionally one or more referendums.
You have a much higher number of elected officials than we do in Scotland - we actually have the lower proportion of the population as elected officials in Europe - so I sympathise. Some of our elections use the de Hondt system which is a nightmare to count as well...
> I wish more geeks would actually work an election, or at least observe, before spewing about how to fix voting systems
Its the same every election - a hundred irrelevant cryptographically schemes...
> "So combinatorially, it's very likely my ballot will be utterly unique within my precinct."
I don't think this is true, since there's a massive correlation between ballot positions and they're not randomly distributed. Since the parties tend to take positions on amendments, bonds, and issues, that correlation extends to those as well.
There are certainly going to be unique ballots per precinct, and really tiny precincts like Hart's Location and Dixie Notch or whatever are subject to it too, but it's not "very likely" for the average US voter.
Unless you have an absentee ballot (e.g., everyone in WA state). You give your filled out (or empty!) ballot to the mafia to drop at the polling station, with the signed outer envelope (declaring under penalty of perjury that this is your vote), and collect your reward.
I dropped off my wife's ballot. It is totally normal for one person to drop off multiple ballots at the box. It would even be hard for you to notice multiple ballots being dropped. I did our two with one gesture.
The vote buying cow has already left the barn.
So it's far more important to let citizens verify that their vote was counted accurately, with some sort of anonymizing hash.
This entire thread is interesting because our typical programming instincts - making sure user actions are linked to user desires via digital signatures, etc - get completely thrown out the window when you talk about voting and secret ballots. You need to be able to ensure the voter is able to make their choice independently, without pressure or publicity - but you can not perform any kind of integrity check that would link the vote back to the voter.
Nicely said. I have been pondering the comments and wondering if there is an over riding problem. From my (less than perfect) understanding of the US electoral system, it is possible to have a president elected who has been voted for by considerably less than half of valid votes. This part of the systems seems more broken to a non-US citizen than a (hopefully) single voting machine being caught on camera breaking.
Nice to see Civitas would use a tamper evident log file (rolling temporal hash). Alas, generally, encoding the order of the ballots cast destroys voter privacy.
I stand by my earlier comment (cross thread): These crypto based voting systems rely on hash collisions to hide individual ballots within a herd of ballots. Because Civitas encodes votes as ranked preference (to support winner takes all, Condorcet, approval voting), there's even more information contained within each ballot, decreasing the likelihood of a hash collision, increasing the likelihood of inferring each voter's unique ballot.
Something did occur to me, however. Right now, all races are encoded onto a single ballot. Making it more likely that every ballot within a precinct is utterly unique.
But if each race was split onto its own ballot, then a crypto based voting system might be workable.
As loathe as I am to validate a crypto-based scheme in any way, these schemes aren't going away, no small part because the geeks keep pushing technological fixes for perceived societal problems. So I'm somewhat resigned that I should make the most of it, help make sure the worst parts are mitigated.
One way hash with secret salt would work. You enter a secret password as a salt and get a hash code from all your votes so you have a provable record your vote got counted that you can verify but no body can reverse to know it's you.
Then stick all the votes up on a server somewhere. Let us go and check our votes are in the list. We could then have informal verification and audits of the counts.
>you can't prove how you voted (i.e. so you can't sell your vote). //
I assumed that if anything it was to prevent people being pressured in to voting a particular way (eg an abusive spouse) - what' wrong with selling your vote, surely that's still democratic: you've chosen to accept a particular candidate based on the outcome for you.
Vote buying is not about a voluntary market in a tradeable commodity - it is about your boss not being able to say 'prove you vote my way or I will sack you' or your landlord saying 'prove you vote may way or I will evict you'.
Nonsense. Existing laws protecting employees from employer retribution (e.g. for sexual orientation, or religion, or...) are still enforceable (and the judgments for plaintiffs are large, too).
There is no reason to prevent someone from verifying that their vote was counted -- not vote buying (or the presumed ease thereof), not vote tampering or stuffing (really?), not potential outside coercion of any kind. Laws exist for all of these things already, and would not suddenly become unenforceable or ineffective in the presence of vote verification.
Coercive voting has disappeared because it is impossible for the coercee to prove to the coercer that they complied.
My granny used to tell of tying red ribbons (red being for the left) on the goats in the country and her mother getting a lift to the polls from the Tories (when women first got the vote) and voting Labour.
Verifying your vote cannot relate to ballot stuffing at all - so you can prove to yourself that you voted X, but I have 1,000,000 made-up votes for Y.
But it would only be handed over to the highest bidder if the individuals chose to hand it over ... which is how democracy is supposed to work isnt it? Arguably the current system favours a cadre of the super-rich already. People now can vote for whichever party will make them individually richer. It just seems to me like a logical extension of capitalist economics.
Voters can sell their vote with or without a receipt. Furthermore, they can sell with a reasonable degree of certainty (if the buyer demanded it) already by submitting to a lie detector test.
There is no valid reason, moral or technical, for preventing voters from verifying their votes were accurately counted, and verification does not enable any new crimes – but it does prevent the current crime where someone's vote is either miscounted or not counted at all.
If voters are given a receipt, buyers of votes can demand to see said receipt to verify they voted the correct way. boss/abusive family member/mafia can demand to see the vote receipt on threat of your job/safety/family returning safely tonight. The potential for a vote receipt means that these 3rd parties can reward/punish you based on the way you voted. Without it, they have no way of knowing if their coercion/blackmail worked or not.
Personally, I would like to have a receipt because I think the danger of my vote not having been recorded is greater than the danger of someone demanding my vote receipt off me.
What is this mythical lie detector you speak of? No trustworthy lie detector exists. If you disagree: does yours work for all mental variations (psychopaths, autism, retardedness, ...) and physical variations (Down syndrome, a score of other genetic abnormalities, ...)? Have you actually verified the research or trust someone who did?
No lie detector exists that is effective to the standards we demand in a court of law, but that doesn't mean there isn't one effective enough for the purposes of an organized crime syndicate looking to buy votes.
Make the receipt optional for each voter. Assholes will still be assholes regardless of the existence of receipts. If someone is extorting you to vote a certain way, I doubt the outcome of an election will affect your life very much. You have bigger problems.
What about, e.g. taking a video of your vote as the original Reddit poster did?
I think this verification may already be a reality. The alternative is to disallow any form of verification, as with the Reddit poster, but then we lose the ability to perform checks on the voting procedure, and would never have known about this current anomaly.
What's missing, though, is the proof that who you voted for is who the vote was internally counted for.
Due to anonymity you can't individually prove a confirmation number belongs to you - you could have found one on the street or made up some random number, but if 10000 people claim that their initial vote does not match the confirmed vote, it's worth looking into more carefully.
Incorrect. You can combine a personal secret code with the output of the vote-teller in order to determine who you voted for. The vote-teller would have no way of determining who you actually voted for without your personal code. Even more secure would be to have two personal codes, one a "real" code, which outputs the actual candidate you voted for, and one "duress" code, which outputs a candidate you didn't vote for(in case someone is holding a gun to your head to confirm you voted for their candidate)
Wouldn't the person with the gun just demand both codes? And typically a ballot has multiple offices to elect. Would you flip all of them for the "duress" code? It seems like it gets complicated really quickly.
There are all sorts of laws that protect us from various government abuses, such as requiring search warrants, trial by jury, freedom of speech, etc. Voter secrecy is a prudent safeguard along those same lines.
Ever dealt with a union election? That's exactly the problem with non secret ballots. You vote against unionization and thugs show up at your house. Union activists are among the most violent people around.
Gosh. Ever dealt with a union election? That's exactly the problem with non secret ballots. You vote for unionization and libertarians show up at your house. Libertarians are among the most violent people around.
But I don't know about 'union thug' being a myth: lots of actual violence back in the dark days of the last century. Carnegie brought in an army to bust up the union and it wasn't because they were meek lambs.
Which is trivially easy with the availability of camera-phones (just include your ID in the shot).
I know it's not foolproof as you could request a new ballot, but I'm guessing those buying votes aren't the smartest folk. Plus you'd be crazy to not accept the money upfront, as there's no way they're actually going to pay out after the fact and it's not like you can take someone to court for not upholding their end of an illegal bargain.
Well, you can verify that the receipt says your vote was counted correctly. That assumes you both trust the receipt system and believe that whatever tampering was done to cause your Obama vote to become a Romney vote couldn't have possibly also resulted in the receipt providing incorrect information as well.