Holding an election over SMS
In 2004, I described a system that would allow secure voting over an insecure internet and PC. Of late, I have been pondering the question of how to build a "turn-key democracy kit" -- a suite of tools and services that could be used by a newly born democracy to smoothly create a new state. We've seen a surprising number of new states and revolutions in the last few years, and I expect we'll see more.
One likely goal after any revolution is to quickly hold some sort of meaningful election so that it's clear the new regime has popular support and is not just another autocracy replacing the old one. You don't have time to elect a full government (and may not want to due to passions) but at some point you need some sort of government that is accountable to the people to oversee the transition to a stable democracy.
This may create a need for a quick, cheap, simple and reliable election. Even though I am generally quite opposed to the use of voting machines, particularly voting machines which only record results in digital form, there are a number of advantages to digital voting over cell phones and PCs in a new country, at least in a country that has a digital or mobile phone infrastructure established enough so that everybody, even if they don't have a phone, knows someone who has one.
- In a new country, fresh out of autocracy, powerful forces will oppose the election. They will often try to prevent it or block voters.
- A common technique is intimidation, scaring people away from voting with threats of violence around polling places.
- The attacks against digital voting systems tend to require both sophistication and advanced planning.
- For a revolutionary election, the digital voting systems may well be brought in and operated by disinterested foreign parties, backed by the U.N. or other agencies.
- An electronic system is also immune to problems like boxes of ballots disappearing or being stuffed or altered.
It may be judged that the risks of corruption of a digital or partially digital election may be less than the risks of a traditional polling place election in a volatile area. It may also be hard to build and operate trustable polling places in remote locations, and do it quickly.
The big issue I see is maintaining secret ballot. It is difficult to protect secret ballot with remote voting, and much easier in polling-station voting. If secret ballot is not adequately protected, forces could use intimidation to make sure people vote the right way, or in some cases to buy votes. I am not sure I have a really good solution to this and welcome input; this is an idea in the making. The basic system works like this:
- A secured truck goes out and offers voter registration. This might consist of an ID check or just thumb dye.
- Registered voters get a special envelope with between 5 to 10 "ballot" pages. On the envelope is a removable sticker with a number from 1 to 6 (or perhaps a word.) The voter must memorize the number, and then it is removed and destroyed before they leave.
- Operations must be supervised and videotaped to assure that ballots are not stolen or misappropriated, and that all unassigned ballots are returned.
- Inside the envelope are different ballots. Only the one marked with the number or word memorized is a usable ballot. The rest all appear to work but in fact will not.
- Each ballot is a list of number pairs. The first number is the number to vote for a choice. After it is a confirmation number/string. Each ballot is different, and may have a master number that also is used in all voting sessions (to keep the other numbers short.)
- To vote for a choice, the voter enters the appropriate number on a PC, or in a text message as indicated. They will receive a response which should be the confirmation number.
- If they get the confirmation number, it means their vote was received. If not, it may not have been.
- After voting they are encouraged to delete the texts from the phone they used, and to destroy all the ballots.
As you can see, the PC, the internet and the mobile system can't understand the votes going through, or interfere with them. If the right response string comes back, the voter is sure their vote reached the central system. The operator can block the vote, but the voter will know they did this because they did not get the confirmation number. Any bulk blocking of votes will cause much complaint, and attempts at re-vote.
How do we preserve secret ballot? Only the voter knows which of the ballots in her envelope is the working one. They can readily pretend to vote with any of the others in front of somebody, or sell a non-working ballot sheet.
The big question is what happens if more than one sheet from a voter is voted. If they are all voted, we must discard the ballot, as a vote buyer could just buy the whole envelope and vote them all. On the other hand, if two are voted, this could be because one was voted in front of a vote-buyer or intimidator, but the voter also votes the working one before or after. If two are allowed, but not three, the vote buyer could vote two of them, but still only have a modest chance of getting the right one. They would, however, stop the real voter from voting.
To help combat this, the packets contain an unknown number of ballots. Thus if a vote buyer asks for all the ballots, they can never be sure they got all of them, unless they can hit the person up right after walking out of the ballot distribution station. The voter might keep the real one hidden elsewhere and deliver a packet with all bogus ballots.
What if the same ballot is voted twice? The voter might choose between two options:
- The first vote using the ballot has precedence. The voter should vote ASAP and then can freely sell the ballot to a sucker.
- Multiple uses of the same codes nullifies the vote. To be used if you fear the goons will get to you before you can vote.
I am not yet satisfied with these solutions.
Who's counting the votes? Ideally a foreign NGO with no interest in the election, with machines brought in from overseas, which connect to the mobile network and internet but with logging which records all incoming vote codes and responses to an audit printout. An audit committee would later get access to whatever secrets allow the decoding of the vote numbers, confirmation codes and valid vs. fake ballots.
- You must trust the ballot distributors. Each trip needs observers, possibly from different sides, to assure everything. That ballots are handed out only to voters -- one per voter, that secret tags are destroyed, that nobody records who got what ballot etc.
- This method can be mixed with traditional polling places. It might be used only where there is fear of intimidation around the polling place. The dye must last long enough to mark voters.
- If there is a workable ID system it could be used instead of dye, but many new nations don't have a voter registration database.
- As described, this is a bit too complex. It needs to be simpler for people who may never have voted before.
- Literacy may be a question in some countries, and a printed sheet won't do it.