[<< | Prev | Index | Next | >>]

Thursday, November 24, 2016

E-Voting Made Simple (Take 3)

There's a really simple way to enable publicly and personally verifiable online voting without forcing someone to reveal their vote in order to contest it if counted improperly. And it's much easier to understand than any other I've seen proposed.

Most people would use an app on their phone to do it, and the app could be open source and would be easy (for the average programmer) to understand. It could also be done via a standard web browser. And for people who really want to go into a booth you could send them out with printed proof of their vote (without revealing it).

Note we already allow mail-in ballots, so this would not facilitate vote buying or coercion any more than is already possible.

It works like this:

When you are ready to vote, you are assigned a unique, random id number for each item you can vote on. Your ballot comes pre-filled with randomly selected votes from prior voters. (That is, each ballot choice is pre-populated with the id from some prior voter who picked that choice.) When you make a selection, your id overwrites that selection. When you are done, you press Go, and the completed card (including your name) is sent to a government server that digitally signs it and returns that signature to you, which becomes your proof that you voted as shown on the card. Critically, the card does not include the original list of your unique id's, which means the signed card is only proof that various people voted for various choices (and in there is proof that you voted for yours--but no proof or indication which ones were yours!).

Then two lists get collected and publicly posted online: The list of people who voted, and the list of which random ids were assigned to which choices. Everyone can look at their own signed card and compare it against the second list to be sure their votes were published correctly. If there's a discrepancy, they have a cryptographically signed proof of tampering (which does not reveal their vote). Note their voting app could do this automatically--telling them later that yes, their vote was properly registered and published in the publicly accessible list. Conversely, nobody can falsely prove tampering without the private key to sign a fake card. Anyone in the world can tally the votes, and verify that the number of votes (for each issue) matches the number of voters (skipped votes would be explicitly marked as such on the card, not merely omitted).

Note that the signed card can be printed in the case of a voting booth, and is manually verifiable against the public record (still without revealing the holder's vote).

If you are worried the govt will keep a record of people's votes and don't want to allow that, you can hand out signing keys to impartial middle-men who sign the cards but only forward aggregate information onward, or simply stuff that functionality into a black box whose output is publicly monitored (to only be the two aggregated lists) and then light those boxes on fire when the election ends (because their job is done and this would destroy the only possible record of who voted for what without losing any of the proof and countability of who voted for what).

I've proposed basically this idea before, but still when I whinge about the lack of e-voting people tell me it's tooo harrrrd. No, it's not.

[<< | Prev | Index | Next | >>]

Simon Funk / simonfunk@gmail.com