[ralmeida]

One method of avoiding fraud in electronic voting systems is double-voting. It goes as follows:

- Wait until all electronic ballots are set up in their zones in election day. - Randomly (this can be even done in a public, audited draw) select a few ballots to test. - Remove those ballots from use and replace them with spares. - Now, somebody publicily double votes on the tested ballot: they publicily vote for candaidate X in the ballot, and on paper (although just showing the vote allows any observer to keep count indefinetely). - At the end of the test, print the count from the tested ballot and verify that it is accurate to the publicily counted votes.

What do you think about this?

IMO, while not totally fool-proof, this brings the cost of manipulating electronic elections rather close to paper elections, if the following assumptions hold:

- The draw is fair, so a malicious actor could not program only the selected ballots to be fair; - The chain of custody of the ballot is solid (easy to do if there are party auditors that never lose sight of the ballots), or that the ballot is not moved out of the sight of the public instead; - There's no available method to make the ballot know it's being tested, and change its behavior (like in the VW emissions scandal).

The last point is tougher, although auditable source code, code-signing, and reproduction of as many 'true' conditions as the real election (same duration, same time, same voting frequency, etc, maybe going as far as to randomly select normal voters to participate in the process).

[Klathmon]

My question is why? Why is everyone so eager to replace paper ballots? What problem does electronic voting solve?

Paper votes work, and they work well. Besides the obvious downside of needing to wait for them to be counted, they are safe, open, they don't break down, they can't be hacked, anyone can verify them, and they are 100% anonymous.

At worst, you'd need many people to collude to stuff a single ballot box in a single district, and even that can be thwarted by a single person watching the ballot box all day.

So what's the gain with electronic?

[philipov]

If we presume that the promoters of the idea are intelligent and understand the consequences, then why is it not reasonable to think that the ability to affect elections or otherwise weaken the electoral system is the gain they seek?

[Klathmon]

I feel that misunderstanding and ignorance is more to blame than malice.

Many programmers know about the "beauty" of encryption and secure voting algorithms. They know that open source works, and it's really tempting to try and think up a system that is "perfect" and can't be gamed by anyone.

But this is an instance where messier and less "perfect" is better, because the absolute worst case scenario of being able to actually change the election is so much harder with paper, and anything less than that worst case scenario doesn't change anything (and still has all of the risks and downsides).

[nightcracker]

I personally am eager to replace paper ballots with electronic in a vastly different voting system. But it would have to be a cryptographically sound electronic voting system that runs as open source on the users machines and is publicly verifiable.

The reason I want this is because it allows much more fine-grained voting. My ideal democracy is a direct democracy where every voter can, if he/she chooses, to vote on arbitrary issues, but _delegate_ their vote to someone else by default. As an example: "I politically align with Bernie Sanders, so I want by default my vote to delegate to whatever he's voting for, but for issue X I vote Y."

In an ideal world you could even delegate votes based on "tags", e.g. for Internal Affairs you choose X, and Economy Y, etc. But that seems fairly easy to manipulate by whoever is assigning the tags to issues.

[Freak_NL]

There are a lot of unresolved issues around the notion of direct democracy. Referenda prove this point — e.g., the Brexit referendum and the EU-Ukraine association pact referendum in the Netherlands. In both cases media and pressure groups hijacked the process of forming an objective informed opinion, and in the Dutch case most people didn't even fully grasp what they were voting for — they just voted against out of discontent.

I am sure that there are ways to improve citizen participation in the democratic system, but directly voting on issues is not going to give us the sensible behaviour you might hope for. Representational democracy exists in part to prevent minorities from abuse by any majority — with direct democracy you eliminate that protection.

[nightcracker]

I am aware of the issues of direct democracy, but my hope is that the "defer by default" prevents most of the issues. On top of that there'd have to be education that makes people wary of others that try to convince them to specifically vote for issues that they didn't have a strong opinion on before.

[Houshalter]

Electronic voting makes superior voting systems like condorcet methods possible. Paper ballots are only really best at first past the post, which is by far the worst system of voting.

[Xylakant]

germany has no first past the post election system and elections here work perfectly fine using paper ballots. On a regional level, elections can actually get quite complicated with options to strike candidates and add multiple votes to a candidate.

It's certainly more work to count those votes, but on the other hand, everybody is entitled to go check the vote count and everybody can do so with no technical knowledge needed. Any system that requires the observer to be firm in a given piece of technology is not a superior system since it removes peoples ability to exert their right to check the public vote.

[Houshalter]

I was wrong, you can implement some alternative vote systems with paper ballots (and more work for the vote counters.) I don't like those systems personally, as I mentioned in the above comment. I don't think it would be possible to implement a system I do like, like condorcet voting, without mechanically counting votes.

[kwhitefoot]

Mechanical counting is not the same as electronic voting.

[VLM]

Equally mysteriously in the definition games, optical scanned paper ballots are never considered the same as electronic voting, although its possibly the only unhackable cheap system out there, and its just as fast, if not faster.

Also frankly more people are familiar with the UI of "#2 pencil and piece of paper" than any electronic UI I can think of or imagine, which is somewhat damning for cultural reasons on this site resulting in it being double plus ungood badthink to imply anything could be superior to contemporary trends in web and phone app UIs.

[AimHere]

Nonsense. There are plenty of fairer voting methods that can, and do, use paper ballots. STV, Additional Member systems, Party List systems. These are in use throughout the world for national elections.

[Houshalter]

All of those would require changing the constitution and the structure of congress (basically impossible), and wouldn't work on things like presidential elections to begin with.

I also have other issues with them. Like runoff voting systems drop a moderate candidate that most people would prefer in a 1 on 1 election, but isn't listed as enough people's second vote. Resulting in more extreme, less liked, candidates getting elected. It's better than FPTP, but not by much.

[58]

> they can't be hacked

Not so sure, the paper ballot system may been hacked in 2000 US election. The other criminal activities of the Bush family make it more suspect, IMO.

[rocqua]

If I understand this correctly, you want to randomly force some-one to make their vote public.

This makes voter intimidation real easy. Just say: "if anyone's vote is made public and not for candidate X, I will murder them and their family". That basically turns voting for candidate Y into gambling with the life of your entire family.

[ralmeida]

The votes in the tested ballots are not counted in the election itself. A member of the public can secretly vote for their preferred candidate, and vote for an entirely different candidate in the auditing.

[VLM]

There's a strangely convoluted yet simpler solution where half the ballots are filled in by a poll worker rolling DnD dice and half are filled out by the voter. Voter puts their two ballots into random two piles. Then count and publish a random half the ballots and shred the other half stack. Each voter knows and can prove to anyone that at least one of two known votes was correctly counted but can't prove if the ballot was filled out by voter or poll worker using dice. Assuming the DnD dice the poll worker used are fair, the result of the election will not vary especially in our highly gerrymandered non swing states. You'd need some statistical math to prove if half the votes are purely random and the results are 50.0001 vs 49.999 then you need (or don't need?) to rerun the election. Very few peoples votes matter and in those district they might have to rerun a couple times to get statistically verifiable results.

This helps with ballot stuffing, if 200 voters in the district verified their vote and election monitors counted about 200 people walked thru the door but the corrupt system published half the ballots online and theres 500 of them implying 1000 voters, well, someone faked an extra 800 voters.

The problem is complicated and you can't actually use DnD dice because most disenfrancised voters fill out straight ticket ballots and are therefore not part of the decision making fraction of the population, so someone could pay or punish based on votes exactly half their victims who don't have a ballot that looks like it was made by a purely random dnd dice roller. So you actually have to figure the percentage of people last time around who voted like whatever logical scheme, then make the poll worker fill in ballots that look like a reasonable ballot from last time around. "VLM you get serial number 200 and I as poll worker fill out serial number 201 and looks like your "random" historical voter for 201 is straight ticket R"

Also you can't let the voter pick the ballot he fills out because then Mr bad guy can kill any odd serial numbered voter for Trump because he told his employees or students or whatever they must select and vote the odd one never the even one, so half the random ballots being odd means trouble for half the voters. Face down pick one might be OK.

Note that under this scheme it might be safe to even publish the name of both ballots, just so long as a random half get shredded.

Any individual poll worker with a photographic memory could theoretically sell a list of ballots he filled out vs the voter filled out but its purely he-said-she-said and the poll workers memorization job will be hundreds of times larger than a voters memorization job so I think it incredibly likely the voter will be trusted to lie as best serves him rather than the poll worker be trusted to tell the truth.

How the random half get shredded is likely going to be a sticking point. It has to be visually enforced the entire voting period that each voter puts one ballot in one pile and one in the other and when polls close the observers do a coin flipping cryptographic protocol and immediately shred one random stack. You can't shuffle them all and then shred or whatever. Someone putting both ballots in one pile will screw things up. There are trivial ways to enforce this of course.

A list of all my historical published votes would after decades provide a random signal and a pattern of my own voting. However my own voting makes a random signal for some other dude, and today any goofball who wants to discriminate can pull the district records and know the couple hundred of us who vote here always vote about 80% R so although discrimination would be possible it wouldn't be any easier or more effective than it is today anyway. Go ahead, knowing nothing other than I live in an 80% R district take a guess what I usually vote...

Technically this scheme disenfranchises a completely random half the population. Well, since only half the population votes you only disenfranchised a quarter. Only half the population votes anyway is a good justification for tossing out a random half the actual votes and replacing them with cryptographically strong noise. I suppose to satisfy dumb people who don't understand statistics you could run two elections and tell the dumber people that half their votes got tossed each time so ta da now all your votes got counted once across the two, but thats numerically unethical.

[rocqua]

Another interesting thing I cam across is [ThreeBalot](https://en.wikipedia.org/wiki/ThreeBallot). It has some non-obvious but solvable issues with non-binary votes (essentially like your system).

A weakness I see in both your system and ThreeBalot, is the need to trust in some decision maker to act correctly. You need the poll worker to actually work randomly (and not have awesome memory), ThreeBalot needs a way to confirm ballots are entered correctly.

I think the biggest sticking point with your system is the random aspect. We are essentially introducing noise into the votes. The noise might be negligible, but it impacts people's perception massively. There is also the challenge issue, because you'd need some arbitrary cut-off on the probability of the noise being to large. After all, the chance is technically nonzero that all random votes went the same way, and only the random votes were counted.