Holding an election over SMS

In 2004, I described a system that would allow secure voting over an insecure internet and PC. Of late, I have been pondering the question of how to build a "turn-key democracy kit" -- a suite of tools and services that could be used by a newly born democracy to smoothly create a new state. We've seen a surprising number of new states and revolutions in the last few years, and I expect we'll see more.

One likely goal after any revolution is to quickly hold some sort of meaningful election so that it's clear the new regime has popular support and is not just another autocracy replacing the old one. You don't have time to elect a full government (and may not want to due to passions) but at some point you need some sort of government that is accountable to the people to oversee the transition to a stable democracy.

This may create a need for a quick, cheap, simple and reliable election. Even though I am generally quite opposed to the use of voting machines, particularly voting machines which only record results in digital form, there are a number of advantages to digital voting over cell phones and PCs in a new country, at least in a country that has a digital or mobile phone infrastructure established enough so that everybody, even if they don't have a phone, knows someone who has one.

Consider:

  • In a new country, fresh out of autocracy, powerful forces will oppose the election. They will often try to prevent it or block voters.
  • A common technique is intimidation, scaring people away from voting with threats of violence around polling places.
  • The attacks against digital voting systems tend to require both sophistication and advanced planning.
  • For a revolutionary election, the digital voting systems may well be brought in and operated by disinterested foreign parties, backed by the U.N. or other agencies.
  • An electronic system is also immune to problems like boxes of ballots disappearing or being stuffed or altered.

It may be judged that the risks of corruption of a digital or partially digital election may be less than the risks of a traditional polling place election in a volatile area. It may also be hard to build and operate trustable polling places in remote locations, and do it quickly.

The big issue I see is maintaining secret ballot. It is difficult to protect secret ballot with remote voting, and much easier in polling-station voting. If secret ballot is not adequately protected, forces could use intimidation to make sure people vote the right way, or in some cases to buy votes. I am not sure I have a really good solution to this and welcome input; this is an idea in the making. The basic system works like this:

  • A secured truck goes out and offers voter registration. This might consist of an ID check or just thumb dye.
  • Registered voters get a special envelope with between 5 to 10 "ballot" pages. On the envelope is a removable sticker with a number from 1 to 6 (or perhaps a word.) The voter must memorize the number, and then it is removed and destroyed before they leave.
  • Operations must be supervised and videotaped to assure that ballots are not stolen or misappropriated, and that all unassigned ballots are returned.
  • Inside the envelope are different ballots. Only the one marked with the number or word memorized is a usable ballot. The rest all appear to work but in fact will not.
  • Each ballot is a list of number pairs. The first number is the number to vote for a choice. After it is a confirmation number/string. Each ballot is different, and may have a master number that also is used in all voting sessions (to keep the other numbers short.)
  • To vote for a choice, the voter enters the appropriate number on a PC, or in a text message as indicated. They will receive a response which should be the confirmation number.
  • If they get the confirmation number, it means their vote was received. If not, it may not have been.
  • After voting they are encouraged to delete the texts from the phone they used, and to destroy all the ballots.

As you can see, the PC, the internet and the mobile system can't understand the votes going through, or interfere with them. If the right response string comes back, the voter is sure their vote reached the central system. The operator can block the vote, but the voter will know they did this because they did not get the confirmation number. Any bulk blocking of votes will cause much complaint, and attempts at re-vote.

How do we preserve secret ballot? Only the voter knows which of the ballots in her envelope is the working one. They can readily pretend to vote with any of the others in front of somebody, or sell a non-working ballot sheet.

The big question is what happens if more than one sheet from a voter is voted. If they are all voted, we must discard the ballot, as a vote buyer could just buy the whole envelope and vote them all. On the other hand, if two are voted, this could be because one was voted in front of a vote-buyer or intimidator, but the voter also votes the working one before or after. If two are allowed, but not three, the vote buyer could vote two of them, but still only have a modest chance of getting the right one. They would, however, stop the real voter from voting.

To help combat this, the packets contain an unknown number of ballots. Thus if a vote buyer asks for all the ballots, they can never be sure they got all of them, unless they can hit the person up right after walking out of the ballot distribution station. The voter might keep the real one hidden elsewhere and deliver a packet with all bogus ballots.

What if the same ballot is voted twice? The voter might choose between two options:

  1. The first vote using the ballot has precedence. The voter should vote ASAP and then can freely sell the ballot to a sucker.
  2. Multiple uses of the same codes nullifies the vote. To be used if you fear the goons will get to you before you can vote.

I am not yet satisfied with these solutions.

Who's counting the votes? Ideally a foreign NGO with no interest in the election, with machines brought in from overseas, which connect to the mobile network and internet but with logging which records all incoming vote codes and responses to an audit printout. An audit committee would later get access to whatever secrets allow the decoding of the vote numbers, confirmation codes and valid vs. fake ballots.

More issues:

  • You must trust the ballot distributors. Each trip needs observers, possibly from different sides, to assure everything. That ballots are handed out only to voters -- one per voter, that secret tags are destroyed, that nobody records who got what ballot etc.
  • This method can be mixed with traditional polling places. It might be used only where there is fear of intimidation around the polling place. The dye must last long enough to mark voters.
  • If there is a workable ID system it could be used instead of dye, but many new nations don't have a voter registration database.
  • As described, this is a bit too complex. It needs to be simpler for people who may never have voted before.
  • Literacy may be a question in some countries, and a printed sheet won't do it.

Comments

Brad -
I like some of the kernels of methodology in here, they appeal to my sense of elegant method applied to imprecise resources. I have not officiated voting in an emerging nation, nor do I have an in-depth understanding of the intimate process of large-scale voting, but I think the one obvious point you already mention is the deal-breaker here: it is too complex. In most nations (including the US) even the most simple ballot methods are prone to voter confusion, and in many areas the ballots are rendered with pictures of candidates, or symbols indicating which party the voter wishes to choose. I don't like the odds of the method you describe succeeding in chaotic and low-literacy areas - I think it would be worse than normal paper or digital ballot. I especially don't like this method considering that mobile phone networks are controlled by the "authority in power" and can be deactivated or manipulated to swing results even if it is merely to block votes entirely (witness the Middle East, currently.)
The lure of SMS is that it's readily available, but I don't see a way that any of the basic requirements for fair vote collection could be managed: secrecy, uniqueness, ubiquity, easy. Most of the world is a long way away from having the resources to do this correctly, which is IP-based interaction and not SMS. If citizens had "personal ID" numbers, and passwords, and a method by which phones could use HTTPS or other device-independent channel to an authenticated voting system... then yes, this would work. However, SMS provides none of that at a level that would be sufficient for voting without inviting massive fraud, compromise of secure vote information, or confusion.

JT

You are right that this is the big problem. Whether it could work might depend on a few factors about the country:

  • Does it have very high phone penetration, so that most people have a phone in their family and know how to use it? This is becoming fairly normal.
  • What is the literacy rate? The sheet's instructions can be pretty simple in the end. "If you like candidate A, text 123456789 to short code 88." It's the multi-sheet rule that makes it a bit more complex.
  • If the PC infrastructure is there, that allows more complexity as you have an interactive program, with ability to do audio in different languages etc.
  • How much danger is there of voter intimidation?
  • How hard is it for people to get out to the polls?
  • Does the country already have a working electoral registration system? (Many autocracies have regular sham elections.)

But secret ballot is the killer problem. Of course in many places in the USA (like Oregon which is all mail-in) we have given up on secret ballot. The amount of voter intimidation and buying in the USA seems low enough that people have gone that way, though I am not even sure that's wise in Oregon.

I do think the risks of the use of digital tampering to steal 1st world elections is high. Oddly, the risk of digital tampering on an election system that was imported at short notice from a trusted NGO or UN agency is low. The election wasn't planned for, the type of gear was unknown in advance and there is no time to plan a digital attack. Of course, if the existing systems have known flaws, somebody might sell a zero-day attack but it's still hard to organize. I would not recommend any DRE system for long term use.

The rule of law, and subsequent trust in electoral systems, seems to be a prerequisite for the SMS method. It seems that there is a high risk of "overt" tampering with this system - blocking SMS messages entirely. In other ways, I don't see how it would be significantly lower in risk profile than a standard ballot. You have to hand out the documents, and have voting officials watch the process to prevent intimidation. You can't prevent vote buying in either case, so that's a moot argument. I think the mobile voting method really only lifts burden from the shoulders of vote counters, but doesn't significantly change the equation on the input side - distributing ballots, preventing fraud, explaining candidate positions.

I love Oregon's mail-in voting method. I am almost always on the road, and in the past when I lived in other states, absentee ballots were a pain to collect. In Oregon, all votes are absentee-like. The time allowed to choose in the quiet of one's home, and the full descriptions associated with each candidate and issue are also fantastic. I believe this leads to better decisions for people (like me) who haven't spent days collecting an opinion on each item on which there is a vote option.

I do agree completely that electronic voting systems allow subtle rigging of election results, and the more sophisticated the platform, the more tempting the target and difficult the detection becomes.

Because of the response code, if the provider blocks a vote, you will know it since you did not get the code back. You can then make the trek to find another place to vote (another phone, a PC, a voice phone with touch tones, or a polling place.) At the same time this can allow a report of a blocked vote attempt. If it is reported that a group of people all could not SMS, it looks very suspicious. It also requires a modestly large conspiracy within the phone company, and turning off or faking or auditing, something harder to keep secret.

Actually, proper secret ballot in a voting booth does prevent vote buying, and intimidation to vote a certain way. It does not prevent intimidation from going to the polling place, and such intimidation is quite common in new democracies. The main reason to consider SMS or computer voting is if you fear low voter turnout because of various factors, ranging from having long distances to travel to get to the polls to intimidation. And indeed to apathy, because there are many who would vote if they could do it at home but who would not take time to trek to a polling station even a modest distance away.

For these reasons, I would only recommend electronic voting when the risk of low turnout is very high, and only on a short term basis. I present these plans because many presume that electronic voting is always at risk because the network and terminal may be compromised. In my scheme above, the danger points are the servers that receive the SMSs, the systems that print the special ballots, and to a lesser extent denial of service attacks on the entire network.

Oregon's mail-in system gives up secret ballot. That is a major risk, and probably not an acceptable one in a volatile country.

/selling is definitely the problem with any voting method (a different thing from the vote *counting* method) which doesn't require people to come to a public place of some type.

I don't have any snap answers for your other questions, but I'm happy to see that you didn't miss that point, as so many do.

Add new comment