You are here

Giving up the unprovable ballot

Yesterday, I wrote about election goals. Today I want to talk about one of the sub-goals, the non-provable ballot, because I am running into more people who argue it should be abandoned in favour of others goals. Indeed, they argue, it has already been abandoned.

As I noted, our primary goal is that voters cast their true desire, independent of outside pressure. If voters can't demonstrate convincingly how they voted (or indeed if it's easy to lie) then they can say one thing to those pressuring them and vote another way without fear of consequences. This is sometimes called "secret ballot" but in fact that consists of two different types of secrecy.

The call to give this up is compelling. We can publish, to everybody, copies of all the ballots cast -- for example, on the net. Thus anybody can add up the ballots and feel convinced the counts are correct, and anybody can look and find their own ballot in the pool and be sure their vote was counted. If only a modest number of random people take the time to find their ballot in the published pool, we can be highly confident that no significant number of ballots have not been counted, nor have they been altered or miscounted. It becomes impossible to steal a ballot box or program a machine not to count a vote. It's still possible to add extra ballots -- such as the classic Chicago dead voters, though with enough checking even this can be noticed by the public if it's done in one place.

The result is a very well verified election, and one the public feels good about. No voter need have any doubt their vote was counted, or that any votes were altered, miscounted, lost or stolen. This concept of "transparency" has much to recommend it.

Further, it is argued, many jurisdictions long ago gave up on unprovable ballots when they allowed vote by mail. The state of Oregon votes entirely by mail, making it trivial to sell your ballot or be pushed into showing it to your spouse. While some jurisdictions only allow limited vote by mail for people who really can't get to the polls, some allow it upon request. In California, up to 40% of voters are taking advantage of this.

Having given up the unprovable ballot, why should we not claim all the advantages the published ballot can give us? Note that the published ballots need not have names on them. One can give voters a receipt that will let them find their true ballot but not let anybody who hasn't seen the receipt look up any individual's vote. So disclosure can still be optional.

Buying votes for money, the original fear that led to the unprovable ballot, seems to be a rare event today. It remains highly illegal. One proposal -- that any vote seller could get amnesty for turning in a vote buyer -- suggests we could assure it remains a minor problem. Today vote buying is trivial with mail-in ballots (you sign your blank ballot and sell it to the buyer) and we're not seeing a lot.

Vote publishing, on the other hand, opens up a new risk. I fear it could be the case that vote coercion could become disguised as democratic zeal. If voters get receipts, and votes are published, it is expected -- even touted -- that watchdog organizations would check ballots for people. If checking is at all complex or technical, you might well pass your receipt to the ACLU or League of Women Voters or other watchdog group to do the counting and keep the elections fair. It sounds like being a champion of democracy.

However, there is a risk of partisan "watchdogs" who claim they just want to make sure every vote from their members/sympathizers was counted, but really want to introduce the social pressure which comes from telling people to expect they will show how they voted to the watchdog.

Consider, for example a church which makes a fiery demand from the pulpit that voters not vote for a sinful candidate. The church might also tell all parishoners to be sure to bring in their receipts so the deacon can make sure every vote from the parish was counted. "It's your democratic duty." Such a situation would make it much harder to secretly vote against the peer group. If a church (in Oregon) were to ask all the flock to bring in their mail-in ballots for pre-inspection, that would be much more overt, and possibly even illegal. But vote checking would in fact be encouraged and democratic.

Churches are just one example. Political parties themselves might reign in the faithful ("we want to be sure every Republican vote was counted") to make sure they vote the right way up and down the ticket. Indeed, while most people don't bother to vote in races they don't care about, this pressure might cause people to cast a lot of votes (along party lines) so as not to look so uninformed as not to have voted in a race.

Even today's vote-by-mail opens up a problem within families. I suspect if the suffragettes had been offered "Women may vote, but their husband can ask to come into the voting boot with them to watch. Disobedient wives can refuse of course, at whatever cost to their marriage that entails" as a solution, they would not have found it particularly acceptable. We have effectively done this today with vote at home, but in our era the term "disobedient wife" has largely vanished.

I don't know for sure if this would happen, but it could, and I would want to be sure that it would not happen before moving to published ballots.

Published, unprovable ballots

There have been some proposals, notably from David Chaum which offer checkable receipts for voters which can be checked against published records but can't be used to prove how the voter voted. From cryptographic numbers on their receipt, they can check to see that their ballot was one of the ones that went into the total, but on its own, you can't figure out what the ballot was. One system had two sheets of paper which when held over one another displayed the choice, but which otherwise appear as a random series of dots when separated. The sheet that reveals the choice goes in the ballot box, the sheet that can show the other sheet was counted goes home with the voter. A newer system Punchscan improves on this.

His schemes are extremely clever, but unfortunately they may be too clever. Even those skilled in cryptographic techniques take some time to understand the systems, and it's clear the general public would be limited to "trust the expert" to feel comfortable that they actually work.

Nonetheless, the fact that David has proved that this is possible is reason for optimism. It may be that with further work we will see a system which allows published, voter-checkable ballots but does not allow group checking with the associated peer pressure. There has been a variety of research into such systems, called End-to-end auditable voting systems.

Checking at a checking station

It may be possible, my associate Kathryn suggests, to design a system where checking one's ballot is not something one can do at home, off of the web, but rather requires a specialized checking station, that is not unlike a polling booth.

With such a station, located after the election in places like libraries or courthouses, one could go in, demonstrate you are a registered voter (just as when you voted) and get a chance to check just one ballot. (Since it is important others not be able to tie your ballot to you, there is probably no way to assure you can't check any ballot you have the receipt for, but you can only check one.)

We must of course trust the checking machines, but my intuition is that a protocol for verifying them is simpler than a general protocol for all ballots. They will know a secret which can combine the cryptographic signature portions on a receipt and on a published ballot to learn that they match.

It turns out that due to well established principles of sampling, you only need a fairly modest number of people checking ballots to be sure that there has been no significant destruction, alteration or miscounting of ballots. So it doesn't matter if checking is a bit more work. We only need a small number of people to do it, so long as they are a mostly random sampling. Since we don't need the group check, there is no harm in losing it. (We still want watchdogs to be able to add all the ballots, of course.)

This solves the problem of the peer pressure check. While a church could ask everybody to have a "checking buddy" with whom they swap receipts, this seems far less likely and suspicious.

Other proofs

There are other ways to prove a ballot if ballots are published. For example, on a complex ballot with many races, the vote buyer can tell you to vote his way in the main races, and then follow a bizarre pattern unique to you in the minor races. (For example, you might be asked to vote for a communist secretary of state and a libertarian insurance commissioner and a crazy school board candidate.) The vote buyer can then check to see that the crazy ballot, along with the purchased choice, is in the published record. This technique does not easily scale to peer pressure groups. And mail in ballots are a much simpler means of doing this that doesn't leave such a trail.

Today, the tiny portable camera (particularly the cell phone camera) also provides ample opportunity to prove how you voted, even with guarded voting booths. Unless we plan to search all voters for hidden tiny recording devices, removing their phones, watches, glasses and the like before voting, it will be difficult for any system to block vote proving.

One "answer" to vote proving is to allow voters to cast fake ballots, which they know they are fake, as well as a real ballot they know is real. This works particularly well with vote by mail, where a voter can request any number of fake ballots (by mail or in person) tagged with a special keyword or colour known only to the voter so they can always recall which is the real one. This can make it possible to sell a fake vote and then cast a real one later, unless one is watched at all times.

What do readers think? Should we have published ballots and give up unprovable ones? Should wait until we get both? How much is the peer pressure risk?


The secret ballot has made vote buying essentially impossible in the US for more than 100 years. No one alive today remembers a time when it was a serious problem, so of course many people think it can't be very important. I suspect that the citizens of Oregon will soon rue the day they gave up the secret ballot, and I hope the rest of the country shows more electoral fortitude.

This is the big question. The political and social climate of the vote buying days is clearly gone, but this does not mean it can't arise again, and we must be on the watch. Oregon is not so special -- any state that allows mail-in or offsite voting is vulnerable.

Actual vote buying, for cash, seems a harder crime to get away with in the modern world, especially if we did set up a program where any vote seller could turn in a vote buyer and get amnesty for that particular vote-sale. (Those who did not turn in a vote buyer in time would not get amnesty.) We also have facilities for anonymous whistleblowing as an alternative. If the vote buyer is a mobster who will break your legs for turning you in, however, amnesty doesn't help.

Of course, it must be cheaper to buy a vote outright than it is to get one through legal means, such as advertising and get-out-the-vote techniques. With 50% turnouts, get-out-the-vote (such as driving known supporters to the polls, calling them on voting day) seems much cheaper at vastly lower risk.

Of course the goal of vote-at-home, like Oregon, is higher turnout. In this case I presume workers, rather than driving voters to the polls, just stop by and ask in person if they voted, which might be very persuasive.

As noted, I have more concern over pressuring voters, with force or peer pressure, than doing it with actual cash. That's much harder to stop or make illegal. If a group/church/union/party has any excuse to ask for your ballot receipt, this could generate a large increase in such pressure.

However, in this debate there will be a lot of discussion about which threats are truly the most dangerous. If we look at vote buying, which is close to non-existent today, how do we scale the risk of its return over quantities which are much larger today, such as the number of people who don't vote at all for various reasons, or box stuffing, or voting machine manipulation. Should we fail to address a real threat doing real damage because of fear of something that might become worse someday? It's a hard question.

How do we know that vote selling isn't a big problem in those districts that have wide-spread mail-in ballots? You state that it isn't a big problem, and I certainly haven't noticed anyone complaining, but does that mean it isn't a problem? How do we know how much mail-in ballot fraud is going on? How many reports do we have of such fraud?

I'm VERY scared of giving up the secret ballot. To me, the secret ballot is the basis of the whole system, and without it, the ability to count ballots correctly or not is irrelevant. It seems to me that the human nature of corrupt people makes the lack of a secret ballot just as dangerous as a black-box voting system that can't be examined or recounted. Either way can lead to a well organized and prepared criminal controlling an election.

I think some of your ideas have a lot of merit. Anything we can do to add accountability while preserving anonymity is a good thing.

Well, simply, when a crime becomes widespread, we do seem to know that it exists. You're going to know about, or hear about, instances of the crime, even if you can't get prosecutions, and you're going to get at least some prosecutions started, if not convicted. I'm sure that the law finds only 1% of the pot smokers out there, but we are not unaware as a society that lots of pot smoking is going on. Vote buying requires a secret conspiracy of hundreds, even thousands to be effective, and reports of it, even rumours, are extremely low. (On the other hand we have lots of rumours of all sorts of election manipulation, some of which may be going on but much of which probably isn't going on at all.)

It's the sort of thing you would hear rumours about, even if you couldn't nail them down. People would be claiming, even falsely, that they got offered money for a ballot.

Vote buying usually requires you find people who don't care that much about their vote, are very poor and of course would not have voted for you otherwise. Not the world's best secret conspirators.

The first problem to be resolved is with the voters list itself. There are always going to be people on the list whose legal right to vote is in question, and there are likely to be advocates on both sides of that debate for each individual case. Elimination of the secret ballot completely changes the nature of those debates, and can leave elections undetermined for years after the fact.

Proposals afoot are for the elimination of the unprovable ballot, not the full secret ballot. In such proposals, voters get to take home a receipt, which has a magic number on it, and the published ballots have this magic number, so one can go and look and see your ballot, with appropriate number, in the published list an be sure your vote was counted as you meant it to.

However, this does not reveal to anybody else, unless you choose, which ballot was yours, and you can destroy the receipt so nobody can ever learn. As such, somebody trying to challenge the eligibility of voters can't have that alter the results of the published ballots.

Add new comment

Subscribe to Comments for "Giving up the unprovable ballot"