Verifiable Electronic Voting
In short: power is corrupting. People who want to get in power and stay in power are not averse to cheating in elections. To make sure it is as hard as possible to cheat in an election we have lots of procedures around it; everything from how you are identified in the polling station via how you fill out your vote in the seclusion of a voting booth to how your vote mixes with all the other votes in the ballot box to make sure that no-one knows how you voted. We also have lots of observers making sure that nothing adverse is going on.
Still, it seems like something goes wrong in every single election. Someone makes a mistake or outright tries to cheat.
It is not good enough that elections are this messy. They are so fundamental to our democracies and thus the way we live our lives that they have to be correct. We need to zoom out, look at a bigger picture and try to figure out what elections should really be like. My suggestion: elections should be verifiable. Every single voter should be able to check that her vote has been properly counted (and not dropped behind a cupboard, forgotten in a warehouse, delivered to the wrong post office or spoilt by election workers) and everyone should be able to check that the vote has been done correctly.
The problem is: how do you make an election completely verifiable while keeping the votes absolutely secret? Without vote secrecy, the election is not open and fair and so need no verifiability.
In the last few years the Verifiable Electronic Voting research community has suggested a number of different ways of doing this and I would like to explain how the Prêt à Voter system, invented by Professor Peter Y. A. Ryan and currently developed by a research group at the University of Surrey in Guildford, UK, works.
The Prêt à Voter system is based on a ballot form which has a candidate list with a random order from one form to the next. This means that if you look at two forms side by side, they will have the candidate lists in different order and this in turn means that if you mark your choice on one of them and then remove the candidate list, I won’t be able to tell from the bit remaining what your vote is for. Here are two ballot forms, compare the order of the candidate lists:
So in order to vote you are given a random ballot form by a poll station worker. It is probably placed in an envelope so that no-one can see the order of the candidates. When you are alone in the voting booth you take out the ballot form and make your selections:
When you are finished making your marks on the ballot form, you tear along a perforation, splitting the ballot form in two: one part containing the candidate list and the other containing your marks and a 2D barcode:
Your next step is to destroy the candidate list. You do this whilst still in the voting booth so that no-one has a chance of getting a glimpse of your candidate list. This means that when the candidate list is destroyed, you are the only person who knows what your marks on the remaining bit of paper means. Destroy your candidate list by shredding it:
You can now safely come out of the voting booth. From this moment your vote is encrypted and you are the only one who knows what it means. You can show it to anyone and you can have it scanned by poll station workers:
Because the vote is encrypted it can be scanned, submitted, stored (and eventually counted) centrally and published on a website for anyone to see – including you. So you keep your encrypted vote as a receipt. When you get home after voting you can check that your vote is among the votes counted by comparing your encrypted receipt to the one on the website. Here is an example of an encrypted vote and the digitally signed receipt that you get to take home:
Note that what you verify on the website (note that information might also be published in the newspaper, shown on TV and distributed in many other ways) is that the marks you made are the same in the electronic, counted, version of your encrypted vote. The verification step does not show how you voted as it does not display the candidate list, only the list of marks on your encrypted vote.
After the close of the election the votes are decrypted in such a way as to hide all the voters’ identities and (after many cryptographic steps, spread out on many different parties) verifiably producing the plaintext, countable votes. This procedure is very complicated and require computers to do all the cryptography but this can be done by experts. Because of the way that the system is constructed, it is not possible for any single person or any single organisation to change the outcome of the election or to find out how you voted. Instead, we spread out the trust in the system on many different parties who are unlikely all to work together to break the election, for example the current government, the opposition, each political party, the United Nations, several governments of other countries etc. Unless all of these come together and decide to change the outcome of the election then no-one can do so. Unless they all come together and decide to find out how you, or any other voter, voted then no-one can do so. This is a much better way of trusting elections than having to trust that an enormous apparatus, involving thousands of people, millions of voters and millions of votes works without a problem.
Photos taken by Dr Chris Culnane at the University of Surrey, UK – much obliged!