> "Although it would be informally apparent that something had gone wrong..."
ie, there's a spectrum of voting attacks. Ballot stuffing is more powerful than ballot burning. If you can target specific districts or voters, then ballot burning can have the same effect on the overall outcome, so it is still incredibly serious, but just takes extra work. This is ballot burning.
> "it seems that our exploit would put the system in an “impossible state”, which would make it difficult to define a meaningful investigation process."
If I'm reading this right, ballot burning itself might have two subtypes -- invisible and leaving big messy scorch marks. This is the latter type. Still serious, but different. You could DoS an election's integrity, forcing emergency runoffs or stalling out democratic processes, or forcing a failover to legacy systems that might be easier to launch higher level attacks against.
This will probably add to the antipathy against electronic voting systems, but I don't blame Scytl-SwissPost for trying. Our current system features disappearing ballot boxes, local level ballot design flaws, and relies on the postal system for absentee ballots. Whatever the mix of media, part paper or electronic, we need to be working towards something more cryptographically sound.
Based on the dismissive tone, you might not really be interested in any discussion here, so apologies if I'm throwing gas on a fire.
But we have different takes on how to solve those problems, so I want a shot at clarifying my position, and I'm genuinely interested in what your (nonelectronic) solutions might be.
The problems I pointed out are the sort of problems that stem from requiring that we trust untrustworthy third parties. Now, it's not like USPS is nefarious, just that they sometimes lose or misdeliver letters without informing the sender. Local officials who manipulate vote counts by losing boxes or prefilling absentee ballots... well, less innocent.
If you're talking about ensuring the integrity and availability of information, or controlling who can see or alter it, you're really talking about a problem in cryptography.
"Fix this by fixing them"
We certainly wouldn't have these problems if we could just demand that everyone engage in trustworthy behavior. That's always true for problems in information theory, or cryptography more generally. And we should back any framework with a strong legal framework to punish manipulation of elections. Vote tampering is illegal, but we should make sure those laws are effective.
More generally though, if we could just rely on "demand all parties are trustworthy" as a cryptographic primitive, then all protocols would be trivial.
Imagine if the typical take on electronic voting was applied to any other area of cryptography.
"I don't trust encryption schemes unless they are done on paper and administered by my local government!"
It would sound odd, right? Why this one?
I think we got here as a community as a reaction to governments and equipment makers like Diebold making claims about electronic voting that sounded like they believed in or were lying to the public about perfect security. Obviously anyone claiming their system is unhackable is trying to con someone.
On the other hand, distributed paper voting as a protocol has a ton of failure points too. And (electronic) cryptography could help with some of those issues. (You don't have to go all electronic. You can keep paper for some parts of the process where paper works best.)
So I've come around to a third way. We need to get past "paper is the answer" or "electrons are the answer" and get to a place where we are honest about the flaws in all systems, we lay out the properties of elections we want to safeguard, and figure out the best protocols and mediums and even UX to get us there.
Seriously though, if you have good incremental ideas for fixing how we do absentee ballots, I'm definitely open to hear more good ideas. And we'll definitely want small steps, rather than diving into any radical changes that suddenly break the system.
> We certainly wouldn't have these problems if we could just demand that everyone engage in trustworthy behavior.
Do you think this is how paper ballots work?
> It would sound odd, right? Why this one?
Because ballots require both ballot secrecy and democratic legitimacy. You can't have both in an electronic voting system. Cryptographic schemes either claim perfect mixing and anonymisation, in which case it's impossible to detect shenanigans. Or they don't have perfect mixing and anonymisation, in which case it's possible to pierce ballot secrecy.
Paper is unwieldy and you can insert many mutually-distrustful humans into many steps. This makes it exponentially more difficult to subvert at scale without detection.
These are features. Please can we just take a moment to accept that sometimes, atoms are better than electrons.
It was definitely a hyperbole. But I think there is a lot of assumption of trust in the status quo, and I think we are frequently let down by that assumption. Not all the time. It's not an apocalypse. But we could do better.
> more difficult to subvert at scale
That's a great point. If you have a single point of failure through E2E, then individual attacks are much more significant.
Nationwide elections are often decided by a handful of key districts though. And the different systems in all these districts can make it hard to detect whether things are broken by design or coincidence. Tools from distributed consensus could make tampering more obvious in one large system.
But you're right, in general E2E makes this harder, not easier.
> ballots require both ballot secrecy and democratic legitimacy
100% agree. But this is an issue for paper too. If we allow paper receipts, you can later verify your vote, but you can also sell the receipt, destroying the secret ballot.
Secrecy and verifiability seem impossible to reconcile at first glance. But there are actually ways to do this through repudiation that might work for either paper or electronic voting.
Estonia's model has other flaws, but had an interesting solution here. They went as far as internet voting. So, worst case, imagine the local boss is at your apartment with a gun to your head, you vote online. But the trick was, any time after that you could walk into a polling place and cast an overriding vote that cancels the earlier vote. That's just one example of this technique, and weeks long elections probably wouldn't work for our system. But the general idea of repudiation or false votes is a useful tool.
With paper receipts, you could allow citizens to print false receipts at the polls as well, then that would preserve the secret ballot. Unfortunately it could also make it impossible for them to prove miscounting.
If the FEC and the voter had two shared secrets, one that unlocks the true vote and one that unlocks a false vote, you could accomplish both goals. You could have a deniable vote, but where the voter and the FEC could only prove to each other which one was correct.
I'm not sure you get the same guarantees with paper at scale. But maybe receipts with dummy receipts would get close enough.
I think another argument you could make is based on federalism. We currently have a system that guarantees every local polity can make whatever decisions they want about how to run their elections, out of a respect for distributed powers. E2E is not a good solution if we just have a hard requirement for distributed management of elections.
Appreciate the response. I am still grappling with a lot of these issues, and place enormous value on getting the conversation away from "paper good, electrons bad" to an open discussion of why we all have those really strong assumptions.
We are as a species electronics noobs. Applying our new shiny toys to everything is natural.
Electronic voting lowers the bar because it moves away from physical representation of people and ballots. Mail-in makes it easier to game for the same reason.
> "Although it would be informally apparent that something had gone wrong..."
ie, there's a spectrum of voting attacks. Ballot stuffing is more powerful than ballot burning. If you can target specific districts or voters, then ballot burning can have the same effect on the overall outcome, so it is still incredibly serious, but just takes extra work. This is ballot burning.
> "it seems that our exploit would put the system in an “impossible state”, which would make it difficult to define a meaningful investigation process."
If I'm reading this right, ballot burning itself might have two subtypes -- invisible and leaving big messy scorch marks. This is the latter type. Still serious, but different. You could DoS an election's integrity, forcing emergency runoffs or stalling out democratic processes, or forcing a failover to legacy systems that might be easier to launch higher level attacks against.
This will probably add to the antipathy against electronic voting systems, but I don't blame Scytl-SwissPost for trying. Our current system features disappearing ballot boxes, local level ballot design flaws, and relies on the postal system for absentee ballots. Whatever the mix of media, part paper or electronic, we need to be working towards something more cryptographically sound.
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...