alt Hacker NewsI don't care how much maths and encryption you use, you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both.
- Switzerland usually gets around this by knowing where everyone lives and mailing them a piece of paper 'something you have'
- South Africa gets around this by putting ink on your fingernail
I've read quite a bit about the e-voting systems in Switzerland and USA and I just don't see how they thread the needle. At some point, you have to give someone access to a database and they can change that database.
Until we all have government-issued public keys or something, there isn't a technical solution to this? (Genuinely curious if I'm wrong here)
Replies
The USA threads the needle by simply not having verifiable voting. And it turns out it works pretty well. Despite countless hours and lawsuits dedicated to finding people who voted more than once, only a handful of cases have actually turned up.
It's not that there are no checks. You have to give your name, and they know if you've voted more than once at that station that day. To vote more than once you'd have to pretend to be somebody else, in person, which means that if you're caught you will go to jail.
We could certainly do better, but thus far all efforts to defeat this non-problem are clearly targeted at making it harder for people to vote rather than any kind of election integrity.
You should care how much maths and encryption you use [0][1], because this is not only possible, but there are multiple approaches.
You can have e-voting systems that protect ballot secrecy and are verifiable.
You can use homomorphic encryption or mixnets to prove that:
1) all valid votes were counted
2) no invalid votes were added
3) the totals for each candidate is correct
And you can do that without providing proof of who any particular voter voted for. A few such systems:
https://en.wikipedia.org/wiki/Helios_Voting
Authentication to these systems is another issue - there are problems with mailing people credentials (what if they discard them in the trash?).
https://www.cbc.ca/news/canada/ontario-municipal-elections-o...
Estonia (a major adopter of online voting) solves this with the national identity card, which essentially is government issued public/private keys.
https://en.wikipedia.org/wiki/Estonian_identity_card
Lots of cyber risks with the use of online voting though, especially in jurisdictions without standards/certification. I outline many in my thesis which explores the risks to online elections in Ontario, Canada (one of the largest and longest-running users of online voting in the world)
https://uwo.scholaris.ca/items/705a25de-f5df-4f2d-a2c1-a07e9...
Australia has a system where you are anonymous and can prove that you only voted once:
You have to be registered and must vote within your electorate, so your name appears on a certified list for that electorate and each voting location has that list. When you vote, they strike your name from the list.
After the election, the lists from these locations are compared. Anyone who votes twice has their name struck twice, and are investigated for electoral fraud.
Whether people know if you voted or not is immaterial, as voting is mandatory in Australia.
Works pretty well for a paper system.
There's a goverment issued public & private key right here: https://en.wikipedia.org/wiki/Estonian_identity_card
> Until we all have government-issued public keys or something
That's actually pretty common in Europe. The Spanish DNI (national identity card) has a chip these days, which gives you an authenticated key pair for accessing digital services.
In the pilot project for digital voting, that identity is only used to authenticate the user, and then an anonymous key needs generated that can be used to cast the final vote.
What about this? Consider a toy system: everyone gets issued a UUID, everyone can see how every UUID voted, but only you know which one is your vote.
This is of course flawed because a person can be coerced to share their ID. In which case you could have a system in which the vote itself is encrypted and the encryption key is private. Any random encryption key works and will yield a valid vote (actual vote = public vote + private key), so under coercion you can always generate a key that will give the output that you want, but only you know the real one.
> South Africa gets around this by putting ink on your fingernail
This is true, but its used in other countries as well, as it's a simple, effective, low-tech, affordable process.
Most notably in India https://edition.cnn.com/2024/05/02/style/india-elections-pur...
but also in many other countries: https://en.wikipedia.org/wiki/Election_ink#International_use
> At some point, you have to give someone access to a database and they can change that database.
It's the only problem in existence that can be solved by the blockchain...
South Africa is in a somewhat similar situation of having a gigantic (1-10%, government is too broken to figure out where in that range) illegal immigrant population and poor access to paperwork for many citizens that would make any heavily scrutinized citizenship for registration lean heavily towards disenfranchisement of the poorer segments.
Sure you can, you just need an anonymous voting mechanism that's sufficiently naive. You use the verifiable process to restrict access to that anonymous mechanism.
In Canada, at both federal and provincial levels, you walk up to a desk and identify yourself, are crossed off a list, and handed a paper ballot. You go behind a screen, mark an X on the ballot, fold it up, take it back out to another desk, and put it in the box. It's extraordinarily simple.
> At some point, you have to give someone access to a database and they can change that database.
Well, that kind of fraud is a different issue from someone reading the database and figuring out who someone voted for (you just... don't record identities in the database).