Submitted by brad on Thu, 2007-06-14 23:55.
In my series on the design of new voting systems, I would now like to discuss the question of high voter turnout as a goal for such systems.
Everybody agrees in enfranchisement as a goal for voting systems. Nobody eligible should find voting impossible, or even particularly hard. (And, while it may not be possible due to disabilities, it should be equally easy for a voters.)
However, there is less agreement about trading off other goals to make it trivial to vote. Some voting systems accept that there will be a certain bar of effort required to vote, and don’t view it as a problem that those who will not make a certain minimum effort — registering to vote, and coming down to a polling station — don’t vote. Other systems try to lower that bar as much as possible, with at-home voting by mail, or vote-by-internet and vote-by-phone in private elections. And many nations, such as Australia, even make voting compulsory, with fines if you don’t vote.
What makes this question interesting is the numbers. With 50% voter turnouts, or even less if there is not an “interesting” race, not having trivial voting “disenfranchises” huge numbers of voters. The numbers dwarf any other number in election issues, be it more standard disenfranchisements of minorities or the disabled, or any election fraud I’ve ever heard about. A decision on this issue can be the most election-changing of any. Australia has 96% voter turnout, and it had 47% turnout before it passed the laws in 1924 compelling voting. read more »
Submitted by brad on Mon, 2007-06-11 14:39.
Yesterday, I wrote about election goals. Today I want to talk about one of the sub-goals, the non-provable ballot, because I am running into more people who argue it should be abandoned in favour of others goals. Indeed, they argue, it has already been abandoned.
As I noted, our primary goal is that voters cast their true desire, independent of outside pressure. If voters can’t demonstrate convincingly how they voted (or indeed if it’s easy to lie) then they can say one thing to those pressuring them and vote another way without fear of consequences. This is sometimes called “secret ballot” but in fact that consists of two different types of secrecy.
The call to give this up is compelling. We can publish, to everybody, copies of all the ballots cast — for example, on the net. Thus anybody can add up the ballots and feel convinced the counts are correct, and anybody can look and find their own ballot in the pool and be sure their vote was counted. If only a modest number of random people take the time to find their ballot in the published pool, we can be highly confident that no significant number of ballots have not been counted, nor have they been altered or miscounted. It becomes impossible to steal a ballot box or program a machine not to count a vote. It’s still possible to add extra ballots — such as the classic Chicago dead voters, though with enough checking even this can be noticed by the public if it’s done in one place.
The result is a very well verified election, and one the public feels good about. No voter need have any doubt their vote was counted, or that any votes were altered, miscounted, lost or stolen. This concept of “transparency” has much to recommend it.
Further, it is argued, many jurisdictions long ago gave up on unprovable ballots when they allowed vote by mail. The state of Oregon votes entirely by mail, making it trivial to sell your ballot or be pushed into showing it to your spouse. While some jurisdictions only allow limited vote by mail for people who really can’t get to the polls, some allow it upon request. In California, up to 40% of voters are taking advantage of this.
Having given up the unprovable ballot, why should we not claim all the advantages the published ballot can give us? Note that the published ballots need not have names on them. One can give voters a receipt that will let them find their true ballot but not let anybody who hasn’t seen the receipt look up any individual’s vote. So disclosure can still be optional. read more »
Submitted by brad on Sun, 2007-06-10 11:02.
This week I was approached by two different groups seeking to build better voting
systems, something I talk about here in my new democracy
topic. The discussions quickly got into all the various goals we have for voting
systems, and I did some more thinking I want to express here, but I want to start
by talking about the goals. Then shortly I will talk about the one goal both systems wanted to
abandon, namely the inability to prove how you voted.
Many of the goals we talk about are actually sub-goals of the core high-level goals I
will outline here. The challenge comes because no system yet proposed doesn’t have to
trade off one goal for another. This forces us to examine these goals and see which
ones we care about more.
The main goals, as I break them out are: Accuracy, Independence, Enfranchisement,
Confidence and Cost. I seek input on refining these goals, though I realize there will
be some overlap. read more »
Submitted by brad on Thu, 2007-02-15 15:05.
A well known curse of many representative democracies is gerrymandering. People in power draw the districts to assure they will stay in power. There are some particularly ridiculous cases in the USA.
I was recently pointed to a paper on a simple, linear system which tries to divide up a state into districts using the shortest straight line that properly divides the population. I have been doing some thinking of my own in this area so I thought I would share it. The short-line algorithm has the important attribute that it’s fixed and fairly deterministic. It chooses one solution, regardless of politics. It can’t be gamed. That is good, but it has flaws. Its district boundaries pay no attention to any geopolitical features except state borders. Lakes, rivers, mountains, highways, cities are all irrelevant to it. That’s not a bad feature in my book, though it does mean, as they recognize, that sometimes people may have a slightly unusual trek to their polling station. read more »
Submitted by brad on Wed, 2006-11-15 15:07.
I’ve written before about one of the greatest flaws in the modern political system is the immense need of candidates to raise money (largely for TV ads) which makes them beholden to contributors, combined with the enhanced ability incumbents have at raising that money. Talk to any member of congress and they will tell you they start work raising money the day after the election.
Last year I proposed one radical idea, a special legitimizing of political spam done through the elections office. That will take some time as it requires a governmental change. So other factors are coming forward.
In some states and nations, efforts are already underway to have the government finance elections. The Presidential campaign fund that you contribute to whether you check the box on the tax return or not is one effort in this direction.
I propose that the operators of the big, advertising-supported web sites, in particular sites like Yahoo, Google, Microsoft, Myspace and the like join together to create a program to give free web advertising to registered candidates on a fair basis. This could be done by simply providing unsold inventory, which is close to free, or it could be real valuable inventory including credits for targetted ads.
Of course, not everybody reads the web all day, so this only reaches one segment of the population, but it reaches a lot. The main goal is to reduce the need, in the minds of candidates, to raise a lot of money for TV ads. They won’t stop entirey, but it might get scaled back.
Such a system would allow users the option of setting a cookie to provide preferences for the political ads they see. While each candidate would get one free shot, voters could opt-out of ads for specific candidates or races. (In some cases the geography-matcher would get it wrong and they would change the district the system think they are in.) They could also tone down the amount of advertising, or opt in or out of certain styles (flash, animated, text, video.)
It would be up to candidates to tune their message, and not overdo things or annoy voters, pushing them to opt out.
There can’t be too much opting out though, because the goal here is to deliver the same thing that candidates rely on TV for — pushing their message at voters who have not gone seeking it. If we don’t provide that, we’ll never cut the dependency on TV and other intrusive ads.
Allowing these ads to be intrusive seems wrong, but the real thing to do is consider the competition, and what its thirst for money does to society. Thanks to the internet, we’ve reduced the price of advertising by an order of magnitude. If the price of advertising is what corrupts the political system, it seems we should have a shot of fixing the problem.
Ads would be served by the special consortium managing the opt-out system, not the candidate, in order to protect privacy. So if you click on an ad for a candidate, the first landing page is not hosted by the candidate, but may have links to their site.
A system would have to be devised to allocate “importance” to elections. Ie. how many ads do the candidates for President get vs. those for state comptroller.
One risk is that the IRS or other forces might try to declare this program a political contribution by the web sites. If applied fairly to all candidates, we’ll need a ruling that states it is not a contribution. This is needed, because otherwise sites will balk at the idea of running free ads for candidates they dispise.
If the system got powerful enough, it could even make a bolder claim. It could only allow the free advertising to candidates who agree to spending limits in other media. On one hand this is just what most campaign finance reform programs do to avoid the 1st amendment. On the other hand, it may seem like an antitrust violation — deliberately giving stuff away not just to kill the “competition” but actually forbidding the candidates from spending too much with the competition.
This need not be limited to the web of course. Other media could join in, though the ones that already make a ton of money from political advertising (TV, radio) are not so likely to join.
This won’t solve the whole problem, but it could make a dent, and even a dent is pretty important in a problem as major as this.
Submitted by brad on Mon, 2006-07-24 12:57.
A proposal by a Stanford CS Prof for a means to switch the U.S. Presidential race from electoral college to popular vote is gaining some momentum. In short, the proposal calls for some group of states representing a majority of the electoral college to agree to an inter-state compact that they will vote their electoral votes according to the result of the popular vote.
State compacts are like treaties but are enforceable by both state courts and federal law, so this has some merit. In addition, you actually don’t even need to get 270 electoral votes in the compact. All you really need is a much smaller number of “balanced” states. For example perhaps 60 typically republican electoral votes and 60 typically democratic electoral votes. Maybe even less.
For example I think a compact with MA, IL, MN (42 Dem) and IN, AB, OK, UT, ID, KA (42 Rep) might well be enough, certainly to start.
Not that it hurts if CA, NY or TX join.
That’s because normally the electoral college already follows the popular vote. If it’s not going to, the race is very close, and a fairly small number of states in the compact would be assured to swing the electoral college to the popular vote in that case. There are a few exceptions I’ll talk about below, but largely this would work.
This is unlike proposals for states to, on their own, do things like allocate their electors based on popular vote within the state, as Maine does. Such proposals don’t gain traction because there is generally going to be somebody powerful in the state who loses under such a new rule. In a state solidly behind one party, they would be fools to effectively give electoral votes to the minority party. In a balanced state, they would be giving up their coveted “swing state” status, which causes presidential candidates to give them all the attention and election-year gifts.
Even if, somehow, many states decided to switch to a proportional college, it is an unstable situation. Suddenly, any one state that is biased towards one party (both in state government and electoral college history) is highly motivated to put their candidate over the top by switching back to winner-takes-all.
There’s merit in the popular-vote-compact because it can be joined by “safe” states, so long as a similar number of safe votes from the other side join up. The safe states resent the electoral college system, it gets them ignored. Since close races are typically decided by a single mid-sized state, even a very small compact could be surprisingly effective — just 3 or 4 states!
The current “swing state” set is AZ, AR, CO, FL, IA, ME, MI, MN, MO, NV, NH, NM, NC, OH, OR, PA, VA, WA, WV, and WI, though of course this set changes over time. However, once states commit to a compact, they will be stuck with it, even if it goes against their interests down the road.
The one thing that interferes with the small-compact is that even the giant states like New York, Texas and California can become swing states if the “other” party runs a native candidate. California in particular. (In 1984 Mondale won only Minnesota, and got just under 50% of the vote. Anything can happen.) That’s why you don’t just get an “instant effective compact” from just 3 states like California matching Texas and Indiana. But there are small sets that probably would work.
Also, a tiny compact such as I propose would not undo the “campaign only in swing states” system so easily. A candidate who worked only on swing states (and won them) could outdo the extra margin now needed because of the compact. In theory. If the compact grew (with non-swing states, annoyed at this, joining it) this would eventually fade.
Of course the next question may surprise you. Is it a good idea to switch from the electoral college system? 4 times the winner of the popular vote has lost (strangely, 3 of those have been the 3 times the winner was the son — GWB, Adams - or grandson - Harrison- of a President) the White House. The framers of the consitution, while they did not envision the two party system we see today, intended for the winner of the popular vote to be able to lose the electoral college.
When they designed the system, they wanted to protect against the idea of a “regional” president. A regional winner would be a candidate with extreme popularity in some small geographic region. Imagine a candidate able to take 90% of the vote in their home region, that region being 1/3 of the population. Imagine them being less popular in the other 2/3 of the country, only getting 31% of the vote there. This candidate wins the popular vote, but would lose the electoral college (quite solidly.) Real examples would not be so simple. The framers did not want a candidate who really represented only a small portion of the country in power. The wanted to require that a candidate have some level of national support.
The Civil War provides an example of the setting for such extreme conditions. In that sort of schism, it’s easy to imagine one region rallying around a candidate very strongly, while the rest of the nation remains unsure.
Do we reach their goal today? Perhaps not. However, we must take care before we abandon their goal to make sure it’s what we want to do.
Update: See the comments for discussion of ties. Also, I failed to discuss another important issue to me, that of 3rd parties. The electoral debacle of 2000 hurt 3rd parties a lot, with a major “Ralph don’t run” campaign that told 3rd parties, “don’t you dare run if you could actually make a difference.” A national popular vote would continue, and possibly strengthen the bias against 3rd parties. Some 3rd parties have been proposing what they call a “safe state” strategy, where they tell voters to only vote for their presidential candidate in the safe states. This allows them to demonstrate how much support they are getting (and with luck the press reports their safe-state percentage rather than national percentage) without spoiling or being accused of spoiling.
Of course, I think the answer for that would be a preferential ballot, which would have to be done on a state by state basis, and might not mesh well with the compact under discussion.
Submitted by brad on Thu, 2006-04-20 16:47.
We all know that racecar drivers wear jumpsuits plastered with the logos of the companies that have sponsored them.
Why not have the same system for members of the legislature? When they vote on bills, they would need to wear a suit with patches from Halliburton, Exxon, AT&T or any other companies that have given them major contributions. Larger contribution, larger patch.
Ok, not going to happen, but perhaps it’s less wild to suggest that as an alternative to having to register to donate money (which many people still feel is a violation of freedom of speech), we have politicians publish a list of all their donors, and the amount, for any given bill whom they feel have a special interest in the bill. They would have to say the top entries while voting, and publish a complete written list.
They would need to be liberal in listing contributors, because if a relationship were revealed later it would look bad, and possibly criminal. Ideally we would have a Caesar’s Wife approach, there they make sure to avoid even the appearance of impropriety.
Submitted by brad on Wed, 2006-01-18 18:28.
How often does it happen? There’s an important idea or action which is controversial. The bravest come out in support of it early, but others are wary. Will support for this idea hurt them in other circles? Is the idea against the “party line” of some group they belong to, even though a sizeable number of the group actually support it? How can you tell.
What the world needs is a way that people can register their support for something anonymously and learn how many other members of their group also secretly support it — but not who. However, once the support reaches a certain threshold, their support would become public. And not just public, but an actual binding committment to the support.
For example, Republicans may oppose the war, or the wiretapping, but are afraid to say so, even among their closer associates. What if really a lot of people feel that way, but nobody speaks up?
Now, obviously, you can do this with a trusted web site where people register and then can vote on issues. But you have to really, really trust the web site, because some of the positions such a system is designed to record are ones that could get you branded a traitor to the group. For issues like war, no web site could be trusted.
So can it be done cryptographically? Is there a way to do this in a public space? I think that with the use of things like Chaum’s blinding algorithms, and fragmented keys (So that a secret message can be decoded in the presence of N of M key fragments, but no fewer than N) it would be possible to create a club, give everybody fragments of everybody else’s key for a given message, and thus arrange that only after at least N votes of support arrive, everybody can decrypt the identities of the supporters. But it’s a bit messy, and might require new generation of keys for every question and various other complex logistics.
There is a particular danger as well. Opponents of a proposition might well pretend to be supporters, in order to bump the support number above the threshold and reveal who the “traitors” are. The opponents would make sure to record that their support was fake in some notarized location so they can renounce it when the names are revealed.
As such, in a governing body, it would be necessary to make the measures of support non-repudiable, which is to say they would be binding votes.
Say you wanted to have a vote to legalize gay marriage. There might be lawmakers who would support it, but could not do so publicly while it’s likely to lose. However, once it is assured to pass, they would accept making their support public — as is necessary in an open legislature. People would see the tally go up, and once it hit a majority the vote would pass. This stops people from pretending to support something just to unmask the real supporters.
Of course none of this prevents regular open support or opposition on things. Would the temporary secrecy cause risks due to some temporarily reduced transparency? And of course on failed propositions, the transparency would be permanent. (Or perhaps permanent until the person leaves office or dies or whatever.) Would it be good or bad that we knew that 30% of the house would vote to ban abortion if they could win, without knowing who they were?
Submitted by brad on Thu, 2004-11-04 15:31.
We see the talk of an America divided in 2, but in fact it's not. There are more viewpoints than that. Normally a 2 party system tends towards the middle, this election was unusual in having a larger than normal difference among the candidates.
But perhaps now is the time to take the Democratic energy and try to push it into a movement for real reform. Not ballot recounts, not crazy dreams that can never happen.
By that, I mean getting at least one state to move to a preferential ballot system, such as Australian "Instant Runoff," Approval or Cordorcet, with an unfortuantely complex additional rule for how to cast in the electoral college when done.
Reforming the electoral college is unlikely (though an interesting hack is discussed elsewhere in this blog). 3/4ths of states must ratify any change to the college, and the small states would need a big constitutional price in exchange for stripping themselves of the extra power they have in the college.
However, individual states can change how they select their electors through ballot resolution or legislative action. Entirely on the local level. Ballot resolution seems the simplest approach. The only thing standing in the way is that many voters get confused by instant runoff systems. Basic Condorcet is easy to understand, but the tiebreaker modifications are often hard to understand. Still, the Australians manage it.
The first effort will probably fail and only educate the public. Eventually, some state, probably a small one, will go over and have such a ballot. This in turn will start to educate the rest of the nation. The ideas, once understood, are good ideas, and will appeal to the populace. It's hard to argue against them.
However, the 2 major parties will _want_ to argue against them because they are bad for those parties. In many elections, there is somebody who won because there wasn't a preferential ballot. In particular, Bush in 2000 and (arguably) Clinton in 1992. (On the other hand, Bush the Elder arguably _lost_ because there was such a system, and thus might support it.)
That's why a ballot proposition is the right way to do this. read more »
Submitted by brad on Mon, 2004-11-01 03:19.
There has been much writing (including here) about problems with the Electoral College in the USA, and I've even proposed solutions such as a tiebreaking system for close votes. I also noted the amazing coincidence that in the 4 times the winner of the college lost the popular vote, 3 were the 3 times we had a son or granson of a President elected.
But I thought it might be worth exploring the merits of the college, even though most individuals want it abolished. (Though no smaller states want it abolished since it gives them disproportionate power.)
First of all, there is the "official" goal of using the college system. It requires the President, who must win a true majority of the college, to be popular in at least half, and probably more, of the country. The framers didn't want it to be possible for a candidate with extremely strong support in one particular region to win the Presidency.
Example: Say a candidate, coming from a particular region, had immense support in that region, getting 90% of the popular vote, and much lower support (10-25%) outside that region. Such a candidate could win the popular vote since all those votes in their own region would count, even though they are not a national candidate. To win the college, their "region" would have to contain half
the population of the USA.
(This is based on the traditional, but not required all-or-nothing allocation method, which states do because it makes candidates want very much to please them.)
I'm not a fan of some regions having more power than others because of the political legacy of how big states were. 2 senators for Wyoming and 2 for California is grossly unfair. However, the concept of federalism does require some protection for regions, so you don't get one region ruling the land at the expense of another, which can lead to seperatism.
Another benefit is election cost. Due to the college, candidates know to spend their election money only in undecided, "swing" states. As such, they can campaign with much less money. With a popular vote, or even a proportional electoral college, they would have to campaign everywhere. This of course has downsides in terms of fairness, but if they had to campaign everywhere they would have to raise even more money, and be more beholden to the special interests that gave it.
Submitted by brad on Sun, 2004-09-26 15:28.
A lot of our democratic process involves our elected officials voting and presiding over things that voters are not going to change their vote over. Oh, they are important things, and the voters actually do care about them, but they are not going to change many votes.
That's especially true now. In deciding whether to re-elect your congresscritter, is how they voted on say FCC spectrum policy going to make a difference to you, compared to their stance on bigger issues like the war and the economy? Even when spectrum policy matters a lot to you?
The result of this is that there is no accountability on these committees, and little downside to selling your vote to somebody who does matter -- a big contributor who can give you the money you think you need to win votes. read more »
Submitted by brad on Mon, 2004-06-21 16:16.
One of my interests is "new democracy" -- concepts of governance that could only exist due to the revelution in the technologies of organization that computers have brought. (I feel that one way to view the purpose of government is as a technology of organization.)
Imagine a legislative house of 100 members composed as follows. Each voter would be able to declare their support (vote) for one delegate. After the voting, the top 100 delegates become the members of the house. The #1 delegate would get no more than just under 2% of the vote, down around #100 we probably see somebody getting perhaps half a percent.
This house represents minority opinion. Almost any serious minority group can put together enough support to get a delegate, as it only takes between .5% and .9% of the vote. (1% gaurantees a delegate but in practice you would not need that much.) Parties with large support would just get more delegates. So there would always be some libertarians, some greens, along with the more mainstream groups.
The trick is that you could change your vote frequently. If your delegate did things you don't like, you could switch to another. This would not cause the upheaval that frequent elections cause today, because all the change would be at the lower end. Candidate #101 would one day replace Candidate #100. To prevent chaos at the bottom, candidates would get some minimum term before replacement, unless they dropped really low.
Without secret ballot this would be easy to do. Each person would have their named delegate on file, and could go and change it when they wish. There would never be (or rarely be) general elections.
With secret ballot it's harder... read more »
Submitted by brad on Tue, 2004-04-13 06:22.
I recently tried one of those online surveys that tries to tell you which candidate is actually most in line with your policy beliefs. These are fun, but subject to bias.
In keeping with my New Democracy category, I started wondering if there was a way to make this process official, and unbiased. It's an interesting process because often these surveys surprise the voter, who, based on campaign ads or peer pressure don't realize they are highly in agreement with a smaller-party platform.
Here's one suggestion for a way to make it non-biased. Each registered candidate could submit a policy statement that they think differentiates themselves from the other candidates. After all are submitted, they would be revealed and the other candidates would decide how they themselves want to be scored by the proposition. (The submitting candidate would be classed as strongly agreeing.) You don't want to put in a motherhood proposition that everybody agrees with as it won't differentiate you from others.
After this we go another round, candidates can submit entries which either continue to differentiate them, or refine or rebut earlier proposals. You can go several rounds, though you don't want the survey to be super-long.
Then voters can take this survey and it will tell them how close they are to each candidate, on the whole and issue-by-issue. read more »
Submitted by brad on Mon, 2004-03-08 06:59.
I’ve maintained for some time that while most spam is commercial, whether something is spam is not dependent on it being commercial. Charity spam, religious spam and political spam are just as bothersome as Viagra spam.
However, fellow EFFer Larry Lessig challenged me on this by asking whether we might want to allow political spam. Spam is super-cheap to send (that’s one reason it’s a problem) but as a very cheap form of advertising it could be an equalizer when it comes to campaign expenses, since a candidate would low-funding could spam almost as well as one with boatloads of special interest money. That’s unlike TV advertising, where the better funded candidate wins the game.
I have to admit that the current way elections are funded and political influence is bought and sold is a much more important problem than spam, so this is a question worth looking at.
Of course, it would be stupid for a politician to spam, even though they have exempted themselves from the spam laws. Spam generates such ill will (appropriately too) that I think a spam campaign from a candidate would backfire. Plus, I really don’t like the idea of regulating spam based on what it says — If it says one thing it’s banned, if it says another it’s OK.
But is there a germ of something worthwhile in here? What if the election officials managed the mailing list and voters had to be on it, for example. read more »
Submitted by brad on Thu, 2004-02-12 12:46.
As I noted earlier, there are all sorts of risks with remote voting over the internet, even if I suggest a way to make it doable. However, this is different from the question of voting machines. Like the folks at Verified Voting I believe that a voter-verifiable paper ballot is the simplest way to make computerized voting more secure. And I like voting machines because they can improve access and even make preferential ballot possible down the road.
But I look at the huge cost we are paying for voting machines. I propose breaking the voting machine process into two steps. The first is the ballot preparation machine. It helps the voter generate their ballot, and then prints it out on paper, in a human readable form that is also machine readable. You need lots of those.
With paper ballot in hand, you walk over to the scanning machine, which is stage 2. This machine reads the standard-format paper ballot, does OCR on the human readable text and confirms the ballot is readable as the voter desires. It also counts it. The ballot is then placed in a locked ballot box.
The scanning machine will be expensive, and secured, and built by an audited vendor. However, you need only a small number of those. The voting stations, which you need many of, can mostly be cheap. In fact, they can be free.
That's because you would generate a voting program that runs on standard PC hardware. On slow standard PC hardware. Probably an open source program, meant to run on Linux, and audited and verified by the open source community. They would love this job.
Then you ask the public to donate their old, slower PCs. Give them a small tax deduction if needed, but frankly I think you would get so many machines you wouldn't even need that. You could even be strict on the hardware requirements. Wipe the bios and put in a fresh one, possibly put in a cheap hard disk with the voting system installed. Get donated laser printers. You don't have a lot of security concerns with these machines because there is not a lot they can do to bollux the election. read more »
Submitted by brad on Fri, 2004-01-30 17:18.
In general, I agree with the recommendations several security experts wrote condemning the new overseas military voting system SERVE, because voters used unsecure Windows PCs to vote.
However, in thinking over the matter, I suggest the following method and open it for criticism. It still has many of the flaws in such systems - no physical audit trail, and like all remote voting systems including mail-in absentee ballot, it allows non-secret ballot and vote buying, though it is not much worse than mail-in in that respect.
Here's the proposal. For each registered voter, generate a paper instruction book. In the book, list the choices they can vote for, and with each choice provide a multi-digit number to enter. Also provide a longer master number for the whole ballot. In addition, after each number, provide a second "ack" number.
Thus you might see a ballot with:
- George Bush: 8741 / 9832
- Al Gore: 9843 / 4382
- Ralph Nader: 0438 / 2833
The numbers are different on each ballot. The voter enters the master number and then the sub-numbers. The election server, combining the numbers can determine who the vote is for. Only the exact numbers will work (any other will generate an error, and only so many errors will be allowed.) It should not be possible for a program not knowing a secret known only to the master computer to map the numbers to a choice.
When the vote is cast, the master server responds with the ACK number, which again only it knows how to generate. The voter confirms the ACK number is correct. The voter -- if they trust the master voting web server -- can be assured that their vote was registered, as desired with the master voting web server.
There's nothing a man-in-the-middle, including a trojan program that has taken over the PC, can do to circumvent this. They can't change the vote, see who the vote was for, or stop the vote from being recorded without the secrets known only to the master vote computer.
And thus it should work from any unsecure web browser and in fact would work fine from a telephone. As long as the numbers are long enough to avoid any guessing attacks.
Though again, we are completely trusting the master web server and its security.
Vote buying is easy with all mail-in ballots. Just ask the bought voter to give you the ballot to mail (or to fill in) and you can check it first. It's also easy to do here. It is slightly easier because you can provide software to confirm it but it's really not a lot easier.
To the system, voting can still be anonymous, as there is no need to connect a registered voter with a particular ballot card. Let them, once confirmed, pull a random ballot card from the pile, or mail them one. Of course the ballot cards with the magic numbers must remain secure, as must all mail-in ballots.
Anybody find a window into this system?