Benlog

security, privacy, transparency.
« Princeton, Diebold, and the elephant in the room.
A Talk on the History of Cryptographic Voting »

The Secret Ballot is not Optional

Filed under: crypto, policy, voting — September 20, 2006 @ 2:57 pm

Over on Scott Aaronson’s blog, I read an interesting post about voting, and one comment from Bram Cohen regarding a new voting proposal called VoiceVote. A few minutes into reading the proposal, I find the following:

Why VOICE Permits Voters to Retain a Paper Copy of Their Ballot

Giving the voter a paper record of the ballot is a step toward voter empowerment, because it contains a digital signature that proves that it was legitimately cast. This record does not violate the secrecy of the vote – it remains the decision of the voter alone whether to disclose how she or he voted. But possession of the paper record of the ballot does permit the voter to take ownership of their own vote in a qualitatively new way – namely, by assuring that it was not tampered with after it was cast. The right to vote is meaningless unless it is backed by the right to guarantee that the vote is properly counted.

It sounds like a great idea—control your own privacy!—but where voting is concerned, it’s not. The Secret Ballot is not Optional. If it were, the election would be coercible. Consider a “friendly office bulletin board” where co-workers are gently encouraged to post their ballot for all to see. Or the same thing at your local church/synagogue/mosque. Or at the union offices. Sure, you don’t have to post your ballot there. But if you don’t, well… it’s pretty clear that you didn’t vote “as expected.”

The Secret Ballot is meant to protect voters from undue influence because individual voters are not expected to be capable of truly protecting themselves. That’s why a voting system must preserve ballot secrecy, even against the wishes of the voters themselves. And that’s one of the many reasons why building a secure voting system is difficult.

In cryptographic voting systems, voters get a receipt of their vote, but the content of the vote on this receipt is encrypted. Thus, vote selling is prevented, but voters still get to verify that their ballot made it into the tally: simply check the voting web site for your encrypted ballot. A separate mechanism allows voters to determine, while they’re in the voting booth, that this encrypted vote really does correspond to their selection. More on that in a later post.