I like the idea, but this
Be verifiable - you should be able to see your own vote.
is an anti-goal. Voting systems are set up to prevent you from seeing how you voted.
This may seem backwards at first, but consider this: under a system where you can see your own vote, you can voluntarily offer up proof of your vote to 3rd parties. While this isn’t an issue for those of us with good work/family/friends, it is a huge problem for people in abusive relationships, or children (who can vote, but are still living with their parents). Suddenly it becomes possible (even if made illegal!) for a spouse to demand to see their partners voting record; or for a parent to force their child to reveal how he/she voted.
And then there’s obviously the issue of “buying votes.” Right now, if you said to me “I’ll pay you $20 to vote for candidate X” I could say “yeah sure” and then vote for whoever I want. This would not be the case under a verifiable system, where you could say “prove that you voted for candidate X for your $20”. Obviously this would be highly illegal, and I’d argue that it wouldn’t happen very often, but it is an issue that doesn’t happen under the current system.
Anyway, I love the idea of crypo voting, but being verifiable is very bad. It brings our voting system from one where votes are anonymous, to one where others can verify how you voted if they drug you and beat you with a $5 wrench [https://xkcd.com/538/].
[Comment removed by author]
Doesn’t this create the same issues outlined above, just with a ‘voted/not-voted’ situation?
Yes, but vote-buying “the fact that you voted” is not a thing. Hell there’s nothing stopping you from turning in an empty ballot if somebody pays you to show up and vote “something”. Now is an abusive spouse going to beat their husband for not voting at all? I doubt it. coercion just-to-vote is not as damaging as coercion to vote a certain way.
So I 100% see the point you are making here, but I see this more as not fixing an already existing problem rather than creating a new one, ultimately coming from the fact that we have mail in ballots in all but 7 states.
For example, say I want to make a quick $20 bucks from the election. I apply for a mail in ballot, fill it out, and then sends it to the mayor’s re-election campaign office. This office checks that my ballot is filled out how I said it would be, and then sends it along to the voting officials, and pays me $20. Alternatively, if I live with a controlling parent/partner/other, they can verify my ballot is the way they want it before sending it.
The solution to this is similar to the solution for the mail in problem, which is vote invalidation. The idea is that I can vote as many times as I want, and each time I will get a different identifier. However, only the last vote I make will actually be counted. This allows me to vote however an outside force compels me too, so I have verification, and then vote again with how I truly feel. As an added bonus, we get the solution to people who fat finger the button or otherwise see that their vote is different than they wanted after they go home and check the block chain.
The downside to this solution is that it would be easier to DDOS the system by sending massive amounts of votes, because you would need to add every vote to the block chain. I’m not sure how this problem would be solved, but it doesn’t sound intractable.
I don’t have a solution for the DDOS but wouldn’t proof of work make it too expensive to generate massive amounts of valid votes, bloating the block chain?
One problem here is that it wouldn’t be possible to also verify that your vote (the last one you submitted) was included in the results (as your sibling commenter suggested) because then outside actors would be able to verify that you hadn’t overridden the vote you showed to them. It’s a tricky problem… :-)
or we just do it by making crosses on paper, which has all properties one wants.
if that doesn’t work, there are other problems not related to the voting mechanism.
The problem is you get a lot of invalid ballots. People don’t fill in the circle, they draw an X. They fill in the circle, then erase it a little. They fill it in, then scratch it out and draw an arrow pointing at the other candidate.
Electronic ballots have the potential to be type safe, in programming terminology.
I think perhaps the advantage of electronic voting is just that the votes would be counted quicker?
Cheaper, too. There are great, obvious benefits and tremendous, nearly-invisible risks.
Why the fuck do you need block chain for everything ?
1. Everyone should register their Public Key with a central server.
2. Everyone can vote with Candidates Public Key and sign with their Private key.
3. A vote is a bloody byte at best. The costs of the server are trivial at best.
4. Let them fucking vote at their leisures time after reading the manifesto or something.
5. Once the vote is done open up the damn data to let everyone verify the final counts with their signatures.
I agree with what I take to be your overall point - blockchains solve a very specific category of problem, and it’s frustrating how many people talk about applying them to things where they add enormous overhead for no benefit. I think, in particular, people think they’re magic anonymity sauce, although they don’t actually provide anonymity at all.
I do think that the non-tampering properties offered by blockchains are worth thinking about here, but @zeebo’s suggested properties elsewhere in the thread make even more sense to me, and I don’t see that a blockchain would be useful for those.
This is more-or-less how it’s done in Estonia, except:
Seems like a Paradise.
Haha, not particularly. But at least online voting works.
It works because you can be quite sure that your goverment doesn’t make your life miserable if you vote wrong. I wouldn’t say Estonias system would work nicely in Russia for example :)
Absolutely right, indeed.
This is a particularly bad design for several reasons:
That’s why verifiable voting systems need to be built on zero knowledge proofs and/or (partially) homomorphic encryption. Ignoring the practicalities of actually deploying a system like this, I think what you actually want looks a little more like this:
I think much of this can be accomplished with pairings-based cryptography and algebraic circuits, at least until large quantum computers are built.
Anonymity is not included in the list of criteria when it is probably the most important of all. This scheme leaks who voted for whom to the government.
Ability to verify that your own vote was counted and recorded as you wanted is equivalent to ability to verify that someone else’s vote was counted and recorded as you wanted. It enables bribery and abuse.
Publishing the results as you go along is a bad idea. In the UK (but not the US or Canada) it’s illegal to start revealing results until every polling station has closed, because elections should be run under scientific conditions to as great a degree as possible. If voters can change their vote based on the votes of people who arrived before them, it greatly increases the potential for tactical voting.
Agreed. Although revealing who voted at all is already public record, and arguably a good thing.
Yes, revealing who voted is altogether different from revealing how they voted — at least as long as there is more than one sincere candidate on the ballot.
False. You can have zero knowledge proofs that your vote was counted without revealing who you voted for
Okay, you can prove your vote was counted, but not that it was counted correctly.
Possibly? Surely you can reveal encrypted results that let people audit the process without revealing what any of the votes are.
If you only reveal the number of votes and not the pattern, it should be fine.
I was under the impression that the mathematically correct way to do voting with cryptography was figured out quite awhile ago and the problem is the technology. If you need a computer it’s just not possible to ensure that computer is secured against fraud. Is that incorrect?
Voting has two very important, totally conflicting requirements:
I don’t see way to perform voting electronically without either compromising one of the requirements or making vote tampering even easier than it is now.
Currently election voting fuilfills both of those goals by limiting amount of votes per person to one and physically separating strong validation of persons identity + vote available status checking from actual candidate selection. Persons voter ID is consumed, double voting is prevented and voter ID cannot be combined with the actual vote.
Sure, one cannot be sure that your vote really has been counted for the candidate you selected, but that is why there should be independent body supervising the election (from UN, etc). The upcome is that if you cannot check who you voted for, no one else can, not even your own government. In case of oppressive governments, this requirement is absolutely needed or otherwise people won’t be able to vote at all. Also, even when goverment systemically affects voting procoess it will be caught (for example, statistical proofs of vote tampering in Russia).
With electronic voting, to prevent double voting or voting behalf of other people, the strong verification of person + vote counting requires that everyone either has public key (Estonias model?) or somekind of generated vote voucher ID. In first case it is obvious how easy is is to tie the vote to the person who made. In second case one can, behind the scenes, keep track who gets which ID and use that to tie people to their votes.
Even if there is voting implementation which would fulfill both rules, how does the voter know that implementation is running? Physical seperation is easy to check and just walk away if necessary, which gives another layer of protection.