|
|
|
|
|
|
by jacques_chester
2643 days ago
|
|
|
> We certainly wouldn't have these problems if we could just demand that everyone engage in trustworthy behavior. Do you think this is how paper ballots work? > It would sound odd, right? Why this one? Because ballots require both ballot secrecy and democratic legitimacy. You can't have both in an electronic voting system. Cryptographic schemes either claim perfect mixing and anonymisation, in which case it's impossible to detect shenanigans. Or they don't have perfect mixing and anonymisation, in which case it's possible to pierce ballot secrecy. Paper is unwieldy and you can insert many mutually-distrustful humans into many steps. This makes it exponentially more difficult to subvert at scale without detection. These are features. Please can we just take a moment to accept that sometimes, atoms are better than electrons. |
|
|
> Do you think this is how paper ballots work?
It was definitely a hyperbole. But I think there is a lot of assumption of trust in the status quo, and I think we are frequently let down by that assumption. Not all the time. It's not an apocalypse. But we could do better.
> more difficult to subvert at scale
That's a great point. If you have a single point of failure through E2E, then individual attacks are much more significant.
Nationwide elections are often decided by a handful of key districts though. And the different systems in all these districts can make it hard to detect whether things are broken by design or coincidence. Tools from distributed consensus could make tampering more obvious in one large system.
But you're right, in general E2E makes this harder, not easier.
> ballots require both ballot secrecy and democratic legitimacy
100% agree. But this is an issue for paper too. If we allow paper receipts, you can later verify your vote, but you can also sell the receipt, destroying the secret ballot.
Secrecy and verifiability seem impossible to reconcile at first glance. But there are actually ways to do this through repudiation that might work for either paper or electronic voting.
Estonia's model has other flaws, but had an interesting solution here. They went as far as internet voting. So, worst case, imagine the local boss is at your apartment with a gun to your head, you vote online. But the trick was, any time after that you could walk into a polling place and cast an overriding vote that cancels the earlier vote. That's just one example of this technique, and weeks long elections probably wouldn't work for our system. But the general idea of repudiation or false votes is a useful tool.
With paper receipts, you could allow citizens to print false receipts at the polls as well, then that would preserve the secret ballot. Unfortunately it could also make it impossible for them to prove miscounting.
If the FEC and the voter had two shared secrets, one that unlocks the true vote and one that unlocks a false vote, you could accomplish both goals. You could have a deniable vote, but where the voter and the FEC could only prove to each other which one was correct.
I'm not sure you get the same guarantees with paper at scale. But maybe receipts with dummy receipts would get close enough.
I think another argument you could make is based on federalism. We currently have a system that guarantees every local polity can make whatever decisions they want about how to run their elections, out of a respect for distributed powers. E2E is not a good solution if we just have a hard requirement for distributed management of elections.
Appreciate the response. I am still grappling with a lot of these issues, and place enormous value on getting the conversation away from "paper good, electrons bad" to an open discussion of why we all have those really strong assumptions.