Fraud-resistant voting protocols
In attempting to implement a large-scale voting system, one major concern is cheating, which may be committed by either the voters or the votees (by which I mean those administering the vote). Here are some ideas about how to fight many types of voting fraud. There is certainly a significant body of existing research related to voting so please excuse (and enlighten) me concerning any obviously-pertinent omissions.
Voting, version 0
Everyone registers ahead of time (to prevent illegal folks from participating). At the time of the vote, each voter must arrive at a local designated voting station where their registration is confirmed and they submit the information they wish to have counted on their behalf. Everyone trusts the administration to fairly count all votes accurately, and shortly thereafter the winners are announced.
This is meant to model the present voting scenario in the US. Here are the problems with this model:
1) Any errors or corruption within the administration are virtually transparent to the voting population. Logically, we only know if something has gone wrong when we vote for someone and the tally indicates they got zero votes. This very case occurred recently (which inspired me to start thinking about these challenges).
2) A voter may complain that their vote was mis-counted but we have no way of confirming or denying the voter's claim.
The following version is a very easy fix for some of these issues, but not all:
Voting, version 1
At the time of voting, each voter is given a secret unique id number which only the administration and the voter know. Once the voting is complete, two separate lists are published in a publicly accessible manner:
But there are still problems with this system. Of course, some people are likely to object to having their names published - I'm not sure how to fix that (any ideas?) In addition, suppose a voter claims that his vote was not counted correctly. The voter knows the truth, but the administration still has no means to confirm the voter's claim. Although this system gives the voters close to complete knowledge of the fidelity of the tally, it does not afford a recourse in the case of an invalid count.
Hence, let us now consider
Voting, version 2
This case is an augmentation to version 1. Now we assume that all parties - voters and the administration - each have a means of digitally signing all transactions. (This unfortunately assumes that all voters have some access to a computer they can trust in order to generate a public/private key pair.) In order to vote, a person must submit a digitally signed form including their vote. Once the vote is received, they will immediately obtain a receipt, signed by the administration and confirming the information of that voter's choices.
This solves the problem of how to respond to a claim of an incorrect vote tally. If a voter claims a mistake has been made, they may back up their claim with the signed receipt they received. If a voter claims that their vote was mistakenly not counted at all, the administration can provide the signed vote they submitted. In either case the evidence or lack thereof is a strong indication in favor of one party or the other.
However, in the end, there remains the issue of voter privacy and verifiability. If we do publish, say, the names and addresses of all voters, who in reality would confirm their existences? Moreover, who would want to have strangers knocking on their door simply to check that they're not a fake voter? In the end it seems the fundamental problem of confirming that a person is real is the core challenge remaining here -- especially while protecting as much privacy as we reasonably can. Ideas?
Voting, version 0
Everyone registers ahead of time (to prevent illegal folks from participating). At the time of the vote, each voter must arrive at a local designated voting station where their registration is confirmed and they submit the information they wish to have counted on their behalf. Everyone trusts the administration to fairly count all votes accurately, and shortly thereafter the winners are announced.
This is meant to model the present voting scenario in the US. Here are the problems with this model:
1) Any errors or corruption within the administration are virtually transparent to the voting population. Logically, we only know if something has gone wrong when we vote for someone and the tally indicates they got zero votes. This very case occurred recently (which inspired me to start thinking about these challenges).
2) A voter may complain that their vote was mis-counted but we have no way of confirming or denying the voter's claim.
The following version is a very easy fix for some of these issues, but not all:
Voting, version 1
At the time of voting, each voter is given a secret unique id number which only the administration and the voter know. Once the voting is complete, two separate lists are published in a publicly accessible manner:
- Each unique id along with all the information of that person's vote
- Enough information (such as their name and zip code, e.g.) to uniquely identify each person who voted
But there are still problems with this system. Of course, some people are likely to object to having their names published - I'm not sure how to fix that (any ideas?) In addition, suppose a voter claims that his vote was not counted correctly. The voter knows the truth, but the administration still has no means to confirm the voter's claim. Although this system gives the voters close to complete knowledge of the fidelity of the tally, it does not afford a recourse in the case of an invalid count.
Hence, let us now consider
Voting, version 2
This case is an augmentation to version 1. Now we assume that all parties - voters and the administration - each have a means of digitally signing all transactions. (This unfortunately assumes that all voters have some access to a computer they can trust in order to generate a public/private key pair.) In order to vote, a person must submit a digitally signed form including their vote. Once the vote is received, they will immediately obtain a receipt, signed by the administration and confirming the information of that voter's choices.
This solves the problem of how to respond to a claim of an incorrect vote tally. If a voter claims a mistake has been made, they may back up their claim with the signed receipt they received. If a voter claims that their vote was mistakenly not counted at all, the administration can provide the signed vote they submitted. In either case the evidence or lack thereof is a strong indication in favor of one party or the other.
However, in the end, there remains the issue of voter privacy and verifiability. If we do publish, say, the names and addresses of all voters, who in reality would confirm their existences? Moreover, who would want to have strangers knocking on their door simply to check that they're not a fake voter? In the end it seems the fundamental problem of confirming that a person is real is the core challenge remaining here -- especially while protecting as much privacy as we reasonably can. Ideas?
posted by Tyler | 8:44 PM
1 Comments:
Perhaps you could use some kind of physical system to maintain the tally. Theme parks will use turn-styles to keep a count of the people who entered. You would have to ensure that each voter only entered once and you would have to figure out a way to ensure that many different things were not tampered with.
The turn-style, or whatever, could use an internal memory to keep a log of the times that each person entered. This way, you have to have a physical being going through at a specific time during the voting day.
You could use something to broadcast this tally for public viewing.
I don't know. Just a thought.
Post a Comment
<< Home