Adventures of the Retired Guy

Adventures of the Retired Guy

Stuff and nonsense from a retired guy

18 Nov 2018

Get a receipt for your vote

  • analogy with credit card transactions

    • Large scale -- country wide, billions of transactions per day, can handle peakes like Black Friday with aplomb
    • Customers (voters) transfer credits (votes) to vendors (candidates). Banks (election supervisors) ensure the transfers are correct and also ensure that customers can only spend the same dollar once.
    • Double entry bookkeeping assures integrity of the process. Vote credits and transferred to voter, then to candidate. At any time, you can reconcile all credits
    • Unlike money, vote credits are not completely fungible. A given credit is only good for voting on a particular office or question, and maybe only good for a particular voter's use on that question. Like a cash card might only be good at Target.
    • Key artifact is the receipt given to the voter when the ballot is cast. Receipt shows all the votes, and the voter can check it before leaving. Key challenge: how to make the receipt durable (recoverable if voter loses the piece of paper) and authorotative (records all the voters choices on this ballot) and irreputable (neither voter nor candidate can alter what the receipt records).
    • The receipt, like the vote, is private (how private?) but not anonymous (you definitely can find out which voter cast which ballot, though maybe you need voter's cooperation to learn the name of the voter.)

  • Assurances -- To voter (analogy with credit card account)

    • That I was enabled to vote for each question on the ballot.
      I was under my credit limit
    • That the votes printed on the receipt were credited to the candidate I expected.
      My purchases got me the products I expected
    • That nobody else cast a ballot in my name.
      I'm the only one who could use this card. Unlike a card, I can't give permission for a family member to use the card in my name.

  • Assurances -- to candidate

    • I know how many registred voters were eligable to vote for me
      (how big was the market for my product?)
    • Exactly how many votes did I get
      (exactly what were my sales?)
    • If I suspect an undercount (or an overcount of my opponent), I can audit the count for any question I'm on.

  • Assurances -- to Election Supervisor

    • Election supervisor can tell that a voter voted at most once.
    • Votes automatically tabulated to correct candidate.
    • Can report out how all the vote credits I created were disposed of.

  • Voting process

    • voter registration creates a "voting account", tied by the election supervisor to a legit voter. (photo id, address check...)
    • ballot preparation
      • election supervisor creates the ballot for each precinct, all the questions and all the acceptable options for each question.
    • analogy of sending out mail in ballots to each registered voter -
      Election supervisor adds voting credit to each voting account -- 1 credit for each question on the ballot.
      • credits issued to accounts at the time ballots are finalized, usually before election day.
      • Voter can verify his account has credits (also verifying he has correct ballot).
    • Actually voting the ballot
      • Once credits available on his card, voter can "spend" the credits. This is voting! System ensures voter can only spend the credits in his account, can only spend them in approved ways (that is, unless there is a none of the above or writein, voter must vote for one of the listed candidates, or for none of them).
      • Voting can happen in a walk-in voting station, but can also happen online or on an app. It doesn't matter, because election system trusts the credits originally issued by election supervisor, not the voting tool, and the credits can't be tampered with en-route. -- cert based chain of trust. Users ballot is signed with voting credit issued to just that registered voter.

  • Actual assurances

  • Ways and means

    • Not all or nothing. A given voter or precinct can choose to use new or old, must prevent fraud of double-voting.

Problems this doesn't solve

  1. It's still up to the election supervisor to create the ballot, identify the legit options for each question
  2. It's still up to the election supervisor to grant voting credits to each registered voter and to grant the correct kinds of credits based on voter's precinct.

Fallible humans will fail at these in some cases. Probably no election will ever happen without some error.

The control for each of these is that creating the ballot and registering voters should be stable long before election day (except for last-minute voter registration?). Once it's supposed to be stable, voters can review it and raise questions in time to get issues straightened out. Just as a catalog might have incorrect ordering information, that doeesn't have to prevent the consumer from buying the product (if the product actually exists).