Usable Security

When we talk about elections having a “secret ballot”, that typically means that each voter’s choices are confidential.  But it also matters whether or not the voter’s co-operation is required to keep those choices confidential.

Over at Freedom to Tinker, Ed Felten proposes labels to help us make this distinction.  By his definition, “weak secrecy” means that each voter can choose to keep their ballot secret, whereas “strong secrecy” means that each voter cannot prove to anyone else how they voted.  The question of proof is significant because, if you can offer a proof, then you can sell your vote — which means that someone can buy your vote, or threaten you and force you to vote a certain way.  Felten points out that voting in a booth at the polls gives you strong secrecy, but mail-in ballots are only weakly secret and thereby enable coercion.  (You can meet with someone and let them watch you fill out your ballot and seal it in the envelope.)

There is another important distinction that is worth pointing out here, one that was made clear to me in a conversation with David Wagner.  Voting systems can be vulnerable to vote-buying in different ways: the coercion or buying may or may not require a real-world interpersonal interaction, which affects whether it is feasible to conduct on a large scale.

I’ve heard it argued that, since strong secrecy has already been lost due to mail-in ballots, it can be dispensed with in the design of electronic voting systems that post public information about the votes (e.g.  to enable end-to-end verification).  But there is a significant difference between buying a mail-in vote (which requires physically interacting with each individual vote-seller) and buying an electronic vote (which might be conducted in an automated fashion online if the published information is sufficient to prove votes).

So, we might consider using “weak secrecy” to mean “voters can voluntarily keep their votes secret but can prove their votes to a vote-buyer”, “moderate secrecy” to mean “voters cannot prove their votes to a vote-buyer except by interacting with them in person”, and “strong secrecy” to mean “voters cannot prove their votes to a vote-buyer by any means”.  By these definitions, mail-in ballots provide moderate secrecy.

However, the real-world issue is still more complicated than this.  The mathematical concept of proof may not be appropriate to apply here.  By Felten’s definition, a polling booth would provide “strong secrecy” because it leaves no verifiable public record of your vote.  But you could use your mobile phone to take a video of yourself filling out your ballot in the polling booth, and present that as proof to a vote-buyer.  Mathematically this doesn’t count as “proof” because your video isn’t verifiable (it’s just a bunch of pixels, and pixels can be forged) — but in a practical sense, this would be more than sufficient to sell your vote.  As long as the vote-buyer has some reasonable confidence that most people wouldn’t bother to forge the proof, it’s worth it to buy votes.  (Conversely, if a voting system allows you to prove how you voted, but the proving process is sufficiently difficult that few voters will attempt it, vote-buying may be negligible in practice even if it is possible in theory.)

But I’m not done yet.  It’s even worse than that: the vote-buyer doesn’t even have to have confidence in the proof demanded from voters.  All the vote-buyer needs is confidence that the voters believe the vote-buyer can verify their votes.  The vote-buyer could completely lie and make up a story about how votes will be checked.  For example, the vote-buyer could say “I have backdoor access to the election system.  Vote for Candidate X, make a note of the serial number on your ballot, and send the serial number to me.  I will check that you indeed voted for X, and I will pay you if you did.” Even if the vote-buyer has no way to check the votes, if enough voters believe the story, the votes will be effectively bought.

A countervailing force against vote-buying is that if the identities of vote-sellers or vote-buyers are revealed or publicized as part of the vote-buying process, that makes vote-sellers and vote-buyers vulnerable to prosecution.  Taking this into account, a mail-in ballot is not vulnerable to a large-scale vote-buying scheme in which someone takes out an ad in the paper offering to buy pre-marked, pre-signed ballots.  But an online voting system that published enough information to reconstruct who voted for whom could be vulnerable to large-scale vote-buying scheme in which a pseudonymous PayPal user in a foreign country sends money electronically to people based on their votes.

An analysis of whether a voting system is susceptible to vote-buying, therefore, must take into account at least these factors:

• what information the voting system reveals to the public
• what information voters are capable of revealing to vote-buyers
• what information vote-sellers and vote-buyers are capable of collecting about votes
• how vote-buyers can influence what voters believe in order to influence their votes
• whether the intention is to defend against in-person vote-buying or automated vote-buying
• the cost to participants and the scale of the vote-buying operation
• what identifying information vote-sellers and vote-buyers must reveal about themselves in order to conduct vote-buying

This entry was posted on Tuesday, December 12, 2006 at 10:14 under Voting. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.