| Some interesting points, thanks for the reply. > Do you think this is how paper ballots work? It was definitely a hyperbole. But I think there is a lot of assumption of trust in the status quo, and I think we are frequently let down by that assumption. Not all the time. It's not an apocalypse. But we could do better. > more difficult to subvert at scale That's a great point. If you have a single point of failure through E2E, then individual attacks are much more significant. Nationwide elections are often decided by a handful of key districts though. And the different systems in all these districts can make it hard to detect whether things are broken by design or coincidence. Tools from distributed consensus could make tampering more obvious in one large system. But you're right, in general E2E makes this harder, not easier. > ballots require both ballot secrecy and democratic legitimacy 100% agree. But this is an issue for paper too. If we allow paper receipts, you can later verify your vote, but you can also sell the receipt, destroying the secret ballot. Secrecy and verifiability seem impossible to reconcile at first glance. But there are actually ways to do this through repudiation that might work for either paper or electronic voting. Estonia's model has other flaws, but had an interesting solution here. They went as far as internet voting. So, worst case, imagine the local boss is at your apartment with a gun to your head, you vote online. But the trick was, any time after that you could walk into a polling place and cast an overriding vote that cancels the earlier vote. That's just one example of this technique, and weeks long elections probably wouldn't work for our system. But the general idea of repudiation or false votes is a useful tool. With paper receipts, you could allow citizens to print false receipts at the polls as well, then that would preserve the secret ballot. Unfortunately it could also make it impossible for them to prove miscounting. If the FEC and the voter had two shared secrets, one that unlocks the true vote and one that unlocks a false vote, you could accomplish both goals. You could have a deniable vote, but where the voter and the FEC could only prove to each other which one was correct. I'm not sure you get the same guarantees with paper at scale. But maybe receipts with dummy receipts would get close enough. I think another argument you could make is based on federalism. We currently have a system that guarantees every local polity can make whatever decisions they want about how to run their elections, out of a respect for distributed powers. E2E is not a good solution if we just have a hard requirement for distributed management of elections. Appreciate the response. I am still grappling with a lot of these issues, and place enormous value on getting the conversation away from "paper good, electrons bad" to an open discussion of why we all have those really strong assumptions. |
Electronic voting lowers the bar because it moves away from physical representation of people and ballots. Mail-in makes it easier to game for the same reason.