[kwlug-disc] Say No To Electronic Voting ...

[Mikalai Birukou]

Quoting Zeynep Tufekci's article where she talks about "how it could be":

"""a simple adversarial confirmation system ... would have worked well"""

In our proposal, every voter, not just "representatives designated by 
the campaigns", can count all votes, can be "adversarial". People share 
*their* counts. People share *their* conviction about correctness of 
*their* individual vote. People come to consensus, not machines.

I am making strong claim that we do what Zeynep wants to see, even 
better, and in an electronic format. May be we should have a talk to 
present actual details. Paul?


I too stand against electoral systems that have no *Transparency*, 
*Auditability* and *Decentralization*. In our proposal these three 
requirements are *held strongly*.

But, to be meaningful, these three protective characteristics require an 
ability for voter to come to judge and have a proof of his registration 
and vote. Registrar should be a separate entity and be trusted not to 
share mapping between registrants and ballot numbers, then all those 
three characteristics can be provided. Let's note that this mapping 
doesn't have to be accessible online, improving chances of securing it. 
In other words, *Anonymity* can be with a little asterik.

<side-note registration-design> Splitting elements of voting process, 
and allowing solutions to be *with* human involvement allows the 
following option. Imagine there are only 100 people voting. We generate 
and print out 100 pages with some keys. Pages are folded to hide QR 
codes with keys. Shuffle them. Give everyone one of these pages. This is 
an example of an anonymous bootstrap, i.e. strong *Anonymity*. If voter 
wants to dispute in court, he/she divulges one's preference anyway. 
</side-note registration-design>


Let's for a second contrast what happens now. Raise questions. Share 
experience.

> - *Anonymity*:
> A ballot cannot be traced to an individual, so there is no pressure or 
> reprisal if they vote against
> their boss or something like that.

1) Is there ideal anonymity already?

At our national election I was given a little piece of paper. It was 
separated from some paper form. Did my piece of paper have a number on it?

If there is a number, related to another piece, that is related to what 
I got in a mail, with my address and name, then our proposal will give 
same level of anonymity. This anonymity is based on difficulty of 
tracing a ballot.

If there are no numbers on a paper. Then an attacking organization 
should inject extra ballots in precincts that are expected to go 
particular way. Count shows more ballots, hence, precinct is discounted, 
poisoned, as there is no way to distinguish between good and bad ballots.

(Q: Can someone enlighten us about today's paper processes?)

2) Registrar should keep secret mapping between ballots and voter 
identities, destroying it after elections proclaimed final. Without such 
map one can't have (a) strong evidence based opposition against election 
meddling, (b) correct incorrect counts.

If society can't arrange for such registrar, there are bigger problems.

3) In Belarus you don't have to even vote to get reprisal about your 
views. Here are my scars from Belarus. Sooner or later, trained eye of 
an идеолог will spot in any group those who don't bow the right way. 
Ideal anonymity in elections doesn't help here.

> - *Transparency*:
> The entire process should be understandable to, and observable by a 
> lay person.
> Encryption, tokens, hashes and all that tech stuff cannot be 
> understood by a regular person. It is stuff
> for specialists, which should not be the case.

Right now I can't count votes in my city.

In a proposal we suggest radical transparency, where everyone 
participates in checks and counts. Voter can check neighbours' results, 
offline, in whatever way people want to do it.

When you have a system with rampant meddling you need lay persons to be 
presented with meddling in as vivid way as possible. It is people's 
passivity that let's democracy slip. Radical transparency is a tool to 
increase interest and engagement.

> - *Auditability*:
> The voter list records who is eligible, and who actually showed up, so 
> if someone comes in and finds
> that he did vote before, they can raise a red flag that there is vote 
> rigging going on.
> Ballots can be counted/recounted with representatives from the various 
> candidates/parties to ensure
> neutrality.

Right now, in Belarus, when you come to get a paper, and there is 
already some signature across your name, you are given a new ballot to 
vote. Up-ps. There will now be more ballots in a box. Will anyone raise 
concerns. And this system gives me no way to prove to my neighbour that 
this meddling has happened!

> Software on the other hand can be modified by one corrupt programmer 
> or installer for a bribe,
> under pressure or for ideology. Even if a committee supervises the 
> software release, this is a single
> point of failure (see next point), and there is no guarantee that 
> "this software" is what ended up on
> the machine/web site, or released as an app.

When you say "Software", do you mean "server software"?

In our approach (a) no one trusts servers, (b) there is a protocol, that 
does let server know what client program voter runs, and (c) there needs 
to be an libre program for voting. More so, since different 
election/referenda processes differ only in registration phase, protocol 
can be reused, letting you to have one client program for all voting. 
And in the limit, you can write it yourself!

These words should not surprise you, as principles of moving computation 
to client and not trusting servers is what we preach in 3NWeb.

Again. I am making strong claims here. The proof is in details. Let's 
have a presentation. Paul?

> - *Decentralization*:
> Ballots should not all go to one location to be counted (where it can 
> be switched, or stuffed en route --
> I know because that was what happened in Egypt). Also, you can bribe 
> or threaten a fewer number of
> people to get a favorable result for you or your friends.

That's why I want a system where my own phone counts. My friend's phone 
checks and counts results.

If meddling is done by little guys, this radical transparency allows 
quick capture and courts help us.

If meddling is done by big guys, where lie is big and blant, then people 
need a mechanism to see that they are the majority, and not a minority. 
Cause next step in such grand lawless sceario is a protest. And in a 
protest you personally want to gauge if majority is on your side. 
Radical transparency is the only tool.

You can't be more decentralize then everyone doing complete checks and 
complete counting.

> With internet voting, it is far easier to switch every n-th vote to a 
> certain candidate/party, and the
> game is over. Because anonymity is required, one cannot trace a person 
> to an actual vote. If this
> data is recorded, then it can be leaked and people can be threatened 
> or intimidated. In the absence
> of that, switching votes is very easy.

Electronic makes everything easier than paper. It makes it easier to 
engage people. It makes people more active, which is good, cause without 
demos there is no democracy.

You are correct in that ideal anonymity is not possible. When I come to 
court and say that my vote was counted incorrectly, I decide to divulge 
my preferences. On another hand society also needs an anchor against 
false claims about meddling. So, independent, offline registrar with 
some trust might be a reasonable trade off.

Again, if registrar with modicum of trust can't exist in a society, 
there are bigger problems than ideal anonymity of votes that ain't 
counted anyway.

> There is no problem with having a machine scan the completed ballot to 
> make counting easier. The
> paper ballot is still the authoritative vote, and can be manually 
> recounted if needed. We do have
> those in a minority of the elections we have (municipal I think).

And what is a participation rate? Why have I already signed a ton of 
different online petitions, while I haven't participated in any 
municipal matters. Oh. It doesn't beep, and I can't make a vote between 
my sushi and coffee, when my mind is the sharpest.

> Further reading:
> An article by Zeynep Tufekci, a researcher on technology in society.
> She wrote it after the Iowa Democratic caucus fiasco.

I read and take all good ideas from people like Zeynep. That is why our 
proposal is fundamentally different from Iowa app. Yes, web-site like 
application is not enough for elections. But it doesn't mean that new 
approaches can't be entertained. Let's not through baby (computers) with 
bath water (Iowa app).

Again. Let's have a presentation. I feel it will be desirable to go into 
details :) .

> If you don't read the entire article, then read
> the last 3 or so paragraphs say how voting should be, and why: A 
> Simple Adversarial Confirmation System
>
> Combined with plain paper ballots, this system is almost foolproof.
> https://www.theatlantic.com/technology/archive/2020/02/bad-app-not-russians-plunged-iowa-into-chaos/606052/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200801/8337e5d3/attachment.htm>