Yesterday, I wrote about election goals. Today I want to talk about one of the sub-goals, the non-provable ballot, because I am running into more people who argue it should be abandoned in favour of others goals. Indeed, they argue, it has already been abandoned.
As I noted, our primary goal is that voters cast their true desire, independent of outside pressure. If voters can’t demonstrate convincingly how they voted (or indeed if it’s easy to lie) then they can say one thing to those pressuring them and vote another way without fear of consequences. This is sometimes called “secret ballot” but in fact that consists of two different types of secrecy.
The call to give this up is compelling. We can publish, to everybody, copies of all the ballots cast — for example, on the net. Thus anybody can add up the ballots and feel convinced the counts are correct, and anybody can look and find their own ballot in the pool and be sure their vote was counted. If only a modest number of random people take the time to find their ballot in the published pool, we can be highly confident that no significant number of ballots have not been counted, nor have they been altered or miscounted. It becomes impossible to steal a ballot box or program a machine not to count a vote. It’s still possible to add extra ballots — such as the classic Chicago dead voters, though with enough checking even this can be noticed by the public if it’s done in one place.
The result is a very well verified election, and one the public feels good about. No voter need have any doubt their vote was counted, or that any votes were altered, miscounted, lost or stolen. This concept of “transparency” has much to recommend it.
Further, it is argued, many jurisdictions long ago gave up on unprovable ballots when they allowed vote by mail. The state of Oregon votes entirely by mail, making it trivial to sell your ballot or be pushed into showing it to your spouse. While some jurisdictions only allow limited vote by mail for people who really can’t get to the polls, some allow it upon request. In California, up to 40% of voters are taking advantage of this.
Having given up the unprovable ballot, why should we not claim all the advantages the published ballot can give us? Note that the published ballots need not have names on them. One can give voters a receipt that will let them find their true ballot but not let anybody who hasn’t seen the receipt look up any individual’s vote. So disclosure can still be optional.
Buying votes for money, the original fear that led to the unprovable ballot, seems to be a rare event today. It remains highly illegal. One proposal — that any vote seller could get amnesty for turning in a vote buyer — suggests we could assure it remains a minor problem. Today vote buying is trivial with mail-in ballots (you sign your blank ballot and sell it to the buyer) and we’re not seeing a lot.
Vote publishing, on the other hand, opens up a new risk. I fear it could be the case that vote coercion could become disguised as democratic zeal. If voters get receipts, and votes are published, it is expected — even touted — that watchdog organizations would check ballots for people. If checking is at all complex or technical, you might well pass your receipt to the ACLU or League of Women Voters or other watchdog group to do the counting and keep the elections fair. It sounds like being a champion of democracy.
However, there is a risk of partisan “watchdogs” who claim they just want to make sure every vote from their members/sympathizers was counted, but really want to introduce the social pressure which comes from telling people to expect they will show how they voted to the watchdog.
Consider, for example a church which makes a fiery demand from the pulpit that voters not vote for a sinful candidate. The church might also tell all parishoners to be sure to bring in their receipts so the deacon can make sure every vote from the parish was counted. “It’s your democratic duty.” Such a situation would make it much harder to secretly vote against the peer group. If a church (in Oregon) were to ask all the flock to bring in their mail-in ballots for pre-inspection, that would be much more overt, and possibly even illegal. But vote checking would in fact be encouraged and democratic.
Churches are just one example. Political parties themselves might reign in the faithful (“we want to be sure every Republican vote was counted”) to make sure they vote the right way up and down the ticket. Indeed, while most people don’t bother to vote in races they don’t care about, this pressure might cause people to cast a lot of votes (along party lines) so as not to look so uninformed as not to have voted in a race.
Even today’s vote-by-mail opens up a problem within families. I suspect if the suffragettes had been offered “Women may vote, but their husband can ask to come into the voting boot with them to watch. Disobedient wives can refuse of course, at whatever cost to their marriage that entails” as a solution, they would not have found it particularly acceptable. We have effectively done this today with vote at home, but in our era the term “disobedient wife” has largely vanished.
I don’t know for sure if this would happen, but it could, and I would want to be sure that it would not happen before moving to published ballots.
Published, unprovable ballots
There have been some proposals, notably from David Chaum which offer checkable receipts for voters which can be checked against published records but can’t be used to prove how the voter voted. From cryptographic numbers on their receipt, they can check to see that their ballot was one of the ones that went into the total, but on its own, you can’t figure out what the ballot was. One system had two sheets of paper which when held over one another displayed the choice, but which otherwise appear as a random series of dots when separated. The sheet that reveals the choice goes in the ballot box, the sheet that can show the other sheet was counted goes home with the voter. A newer system Punchscan improves on this.
His schemes are extremely clever, but unfortunately they may be too clever. Even those skilled in cryptographic techniques take some time to understand the systems, and it’s clear the general public would be limited to “trust the expert” to feel comfortable that they actually work.
Nonetheless, the fact that David has proved that this is possible is reason for optimism. It may be that with further work we will see a system which allows published, voter-checkable ballots but does not allow group checking with the associated peer pressure. There has been a variety of research into such systems, called End-to-end auditable voting systems.
Checking at a checking station
It may be possible, my associate Kathryn suggests, to design a system where checking one’s ballot is not something one can do at home, off of the web, but rather requires a specialized checking station, that is not unlike a polling booth.
With such a station, located after the election in places like libraries or courthouses, one could go in, demonstrate you are a registered voter (just as when you voted) and get a chance to check just one ballot. (Since it is important others not be able to tie your ballot to you, there is probably no way to assure you can’t check any ballot you have the receipt for, but you can only check one.)
We must of course trust the checking machines, but my intuition is that a protocol for verifying them is simpler than a general protocol for all ballots. They will know a secret which can combine the cryptographic signature portions on a receipt and on a published ballot to learn that they match.
It turns out that due to well established principles of sampling, you only need a fairly modest number of people checking ballots to be sure that there has been no significant destruction, alteration or miscounting of ballots. So it doesn’t matter if checking is a bit more work. We only need a small number of people to do it, so long as they are a mostly random sampling. Since we don’t need the group check, there is no harm in losing it. (We still want watchdogs to be able to add all the ballots, of course.)
This solves the problem of the peer pressure check. While a church could ask everybody to have a “checking buddy” with whom they swap receipts, this seems far less likely and suspicious.
There are other ways to prove a ballot if ballots are published. For example, on a complex ballot with many races, the vote buyer can tell you to vote his way in the main races, and then follow a bizarre pattern unique to you in the minor races. (For example, you might be asked to vote for a communist secretary of state and a libertarian insurance commissioner and a crazy school board candidate.) The vote buyer can then check to see that the crazy ballot, along with the purchased choice, is in the published record. This technique does not easily scale to peer pressure groups. And mail in ballots are a much simpler means of doing this that doesn’t leave such a trail.
Today, the tiny portable camera (particularly the cell phone camera) also provides ample opportunity to prove how you voted, even with guarded voting booths. Unless we plan to search all voters for hidden tiny recording devices, removing their phones, watches, glasses and the like before voting, it will be difficult for any system to block vote proving.
One “answer” to vote proving is to allow voters to cast fake ballots, which they know they are fake, as well as a real ballot they know is real. This works particularly well with vote by mail, where a voter can request any number of fake ballots (by mail or in person) tagged with a special keyword or colour known only to the voter so they can always recall which is the real one. This can make it possible to sell a fake vote and then cast a real one later, unless one is watched at all times.
What do readers think? Should we have published ballots and give up unprovable ones? Should wait until we get both? How much is the peer pressure risk?