An election is a complex system. There are numerous goals every election tries to meet, and those goals conflict to various degrees. That makes it problematic to analyse any single aspect of elections in a vacuum. We can easily end up with a system that’s optimised in one respect but completely fails in another way that simply wasn’t under consideration at the time.
All elections have at least four goals: 1) to accurately reflect the preferences of the voters, 2) to be accessible to the voters, 3) to be trusted by the voters, and 4) to be cost-effective to implement. Many voting systems, proposed or implemented, optimise one of these variables at the expense of the others. Like any engineered system, we can’t have everything we want. But too often, we as a society pretend the tradeoffs don’t exist, and that improvements in one area don’t come with a cost. Instead, we must be aware of these tradeoffs, and consciously decide to find the balance that works best for us.
Imagine we make a simple change to how most of us vote. You go to your polling place, you cast your vote, but now you’re given a receipt. This receipt indicates how you voted, and also includes a number unique to your ballot. You can go online after the votes are counted and confirm that your ballot made it into the final count, and was counted as you marked it.
Great idea, right? This clearly makes the system more trusted, which is a goal. It also has the potential to make it more accurate, since we can now find and correct some possible errors. But there’s also a downside: if I can prove how my vote was counted, I can be forced to prove it to others. A government might come into power that punishes people for voting against it, as happens in many places on earth. And not all oppression is from the government. My employer might threaten to fire anyone who doesn’t come in with a receipt marked with his preferred candidate. My family or church might ostracise me for voting differently from the group. Violent organisations could threaten people into voting a particular way. Or the super-rich could literally use their money to buy thousands of votes from poor people; this can’t happen on any significant scale without receipts. We can outlaw such behaviour, but enforcement is completely impractical.
This is why the secret ballot exists: the only way to guarantee I’m voting for my true preferences is if nobody is looking. Yes, we can improve trust in the system, but at the cost of reduced accuracy. Which is more important? Can we quantify how much those gains and losses are worth? I’m not sure if an objective answer is possible, but it’s a question that must be considered. We must look at what we lose, as well as what we gain.
Now consider remote voting, by mail or by the internet. Three states hold all elections by mail, and most allow mail-in absentee ballots. The cost of running such a system is clearly much less than using the typical polling places, so we’ve gained in cost efficiency. And the cost to the voter is also much less since they don’t have to leave work and stand in line to vote, so we’ve gained in accessibility. But any remote voting system sacrifices the secret ballot; you can never be sure the voter didn’t have a metaphorical gun to their head when marking their ballot.
And remote voting adds a new problem: you can’t even be sure the right person cast the vote. I’m by no means suggesting voter fraud is common, of course. But proving identity remotely (and automatically) is an extremely difficult problem, and getting harder every year. How many times have you heard of peoples’ passwords being compromised, their credit cards used without permission, or their identities stolen? Chip cards are about as good as we can do, using cryptographic two-factor identification, but that then requires the government issue one to every citizen, which they’re strikingly reluctant to do. And even then, maintaining anonymity while still being able to revoke stolen cards is very possibly insoluble.
And then consider the opposite problem. How many passwords have you forgotten in your life? Yes, voter fraud could happen, but voter suppression is at least as much a concern. What if the system decides I’m not me, and won’t let me vote?
The tradeoffs between in-person voting and remote voting get complex very quickly. But they must be stated and analysed and weighed, or we run the risk of being seduced by convenience without considering the cost.
Election accuracy and accessibility
So what does all this mean? Well, I place extremely high weight on the accuracy of the system. For my math, secret ballots cast in person are absolutely critical to a functioning democracy. But it also means reasonable people can differ if they place more weight on accessibility and trust than they do on accuracy. And perhaps there are circumstances where that’s the right calculation to make, and I’d find myself agreeing if I lived in those circumstances.
And perhaps there’s some middle ground. There are ways we can improve on trust and accuracy, without sacrificing the secret ballot. I can’t be sure my one vote will be counted and counted correctly, but maybe I can be sure that all votes will be.
There are myriad possible things that can go wrong in an election to make it less accurate, but let’s focus just on what happens after I’m in the booth casting my secret ballot. There are really only a few places error can creep in from this point:
• My vote is recorded differently from how I intended
• My ballot is modified after being cast and counted differently from how it was recorded
• My ballot is never counted
• My vote is drowned out by fake ballots that were not actually cast by voters
If we can address each of these potential problems, then overall trust in the system can be greatly improved, without sacrificing the secret ballot. For each, we need up to three mechanisms: prevention of the error, detection of the error, and correction of the error.
For this problem, detection and correction are more straightforward than prevention: the vote must simply be recorded on a human-readable medium, which the voter confirms is correct before the vote is made permanent. If the record is incorrect, the voter tries again, with only the final approved result being permanently recorded. If the vote is stored exclusively in an electronic medium, detecting errors is simply impossible. In short, we need a paper trail.
Preventing modification of the ballot starts with the choice of the recording medium. A punch ballot, for example, can be changed after the fact (purposefully or accidently) by the punching of another candidate. Ballots recorded and transferred electronically can be modified due to coding errors, or even by malicious attacks. A persistent write-once medium is clearly preferred here.
Detection and correction of modified ballots are, thankfully, a solved problem. Ballot modification is only a special case of data corruption, and computer science has long since created standards in that realm. By attaching a cryptographic timestamp to each ballot after it’s cast, we can make undetected ballot modification almost impossible.
Ballot loss can be accidental or purposeful, but in either case, the means of prevention is the same as in the IT world: redundancy, redundancy, and more redundancy. Ballots should be recorded multiple times, on different media, each with a different transmission path. A stack of paper ballots could be misplaced, but a stack of ballots handled by one group, backed up by a write-once CD handled by a different group, backed up by electronic records instantly transmitted over the internet to the counting location, would make accidental ballot loss unlikely, and malicious ballot loss impractical.
Detecting ballot loss when it occurs can be very straightforward: simply compare the number of ballots counted for a given precinct to the number of ballots cast. This means making the record of the number of ballots cast subject to the same security procedures as the ballots themselves, rendering it difficult to maliciously or accidently modify. With this precaution, ballot loss would only fail to be detected if there was a fraudulent ballot created for every one lost.
(It’s worth noting that mail-in ballots make both prevention and detection of ballot loss more difficult. The system now depends on the perfect function of the postal system, plus the added variable of how many people might request ballots but never send them back in.)
As for correction, we again return to the IT world; once data is gone, it’s gone. The only possible remedy is to re-run the election for the affected voters.
The creation of fake ballots is almost inevitably the result of a malicious attack, an attempt to corrupt the election in favour of a particular candidate. Preventing this means preventing votes from being cast without an actual voter attached to them. Marking each ballot cast with a timestamp and machine serial number would be the first step, ensuring that all ballots are created by authorised machines during the proper election hours. There are cryptographic techniques that would make such markings impossible to fake, which would limit the opportunities for ballot stuffing to a definite window. From that point, strong electoral oversight may be the cleanest solution.
Detection of ballot stuffing is something that can be automated and should be. An algorithm could easily check voter turnout against previous elections in the same precinct, and flag precincts whose results are statistical outliers.
If fake ballots can be definitively identified, correction of the matter is simple: throw them out. If they can’t be identified, but at least the number can be known, then their potential impact can be quantified, and a decision made about whether to re-run the election.
Getting back to the overall system, one approach to detecting recording errors, ballot modification and ballot loss is the use of test ballots. In this proposal, voters would have the option to cast one real ballot, plus one or more additional ballots. These test ballots would follow the same path as the real ones, being recorded, transmitted, and counted in the same fashions. The test ballots would not count towards the eventual election outcome, but they would be fully trackable online, as discussed previously. This would allow for the detection of any systematic tendency towards errors, without sacrificing the secret ballot.
And there’s one more IT concept that should be applied to elections to increase trust and accuracy: penetration testing. Most election equipment spends 90% of its time unused, which is just wasteful. When there’s not an election coming up, the entire system should be accessible by the public, specifically for the purpose of being attacked! Ethical, white-hat hackers can come and try every trick in the book to hack the system, and anyone who identifies a flaw should receive a substantial reward. And yes, that means the details of the design and the program code should be published to make such attacks easier.
But, you may ask, what if they find a flaw and then exploit it to alter the election? Well, if there’s a flaw that can be used to that end, what makes you think it’s not already being exploited? Better to find the flaws and fix them, before someone less friendly finds them to use them. The fastest and most thorough way to find security holes in this system is to have as many eyes on it as possible. Security through obscurity is no security at all.
Elections are an engineered system and should be treated that way. It may take technical experts to design a functioning system, but first, the people have to decide what it is they want. Realising that we can’t have everything is the first step in discussing what’s really important to us. Only then can we apply our skills and knowledge to making a system that works better for everyone.
Feature photo by John Keane [CC BY-SA 2.0], via Flickr.
The opinions in The Freethink Tank’s Opinion category are those of the author and are no reflection of the views of the website or its owners