p39 correctly points out that post-election verifiability significantly reduces the burden on the system. If you can later prove your vote was cast correctly, it doesn't really matter if the system that correctly recorded your vote has some theoretical flaw.
Verifiability could also prevent or reveal traditional attacks or miscounting, like lost ballot boxes, hanging chads, misdelivered absentee ballots, or simple hand counting errors. It could have a separate benefit of drastically increasing trust in the system, preventing allegations of fraud by those who simply want to undermine faith in Democratic institutions (be they foreign governments or sore losers).
The author quickly dismisses verifiability as a practical goal though, despite its potential benefits, citing an old objection: verifiability enables vote selling.
Since verifiability could lead to significant benefits, it's worth asking two questions at this point: (1) might there be other ways to mitigate the risk of vote selling under verifiability, and (2) does verifiability really increase the risks of the status quo?
(1) Other Mitigations
Two possible mitigations immediately spring to mind, there are probably others.
First, we could just make vote buying or vote extortion a serious federal crime, where any whistleblower voter gets some portion of the fine, enough to outweigh whatever they were offered. The new incentive would make these attacks highly risky, as they'd have to involve an improbable number of close confederates you can rely on, but who won't vote the way you recommend without a bribe. This becomes basically impossible to scale.
As a second option, we could instead give voters a true receipt and a false receipt. Voters could privately confirm their vote was cast correctly, but the system would have deniability, the voter would be unable to prove it. Maybe the true receipt holds a secret shared with the election commission that can only be unsealed under credible allegations of outcome-altering irregularities.
(2) Unclear New Risks
The argument against verifiability is that it would suddenly allow proof of vote, and that creates the risks of extortion and selling.
Proof of vote is already trivial in the status quo though. Sure, there are prohibitions on voting booth selfies, but if you had entered into a vote buying cartel, you would easily be able to defeat these with a discreet photo behind the curtain.
Mail-in absentee ballots allow one to fill in a ballot while being directly observed by an attacker.
Despite these possibilities in the current system, there isn't significant evidence that vote buying is a widespread problem, so the risk may be wildly overstated anyway.
If it is not clear we're avoiding a new risk, and if verifiability could dramatically increase the trust in the system, I think it's worth a harder look than most voting security analysis gives it.
That said, this amount to a quibble about one page in a significant piece of research, which is still an admirable summary of the issues in secure voting theory and design.
p39 correctly points out that post-election verifiability significantly reduces the burden on the system. If you can later prove your vote was cast correctly, it doesn't really matter if the system that correctly recorded your vote has some theoretical flaw.
Verifiability could also prevent or reveal traditional attacks or miscounting, like lost ballot boxes, hanging chads, misdelivered absentee ballots, or simple hand counting errors. It could have a separate benefit of drastically increasing trust in the system, preventing allegations of fraud by those who simply want to undermine faith in Democratic institutions (be they foreign governments or sore losers).
The author quickly dismisses verifiability as a practical goal though, despite its potential benefits, citing an old objection: verifiability enables vote selling.
Since verifiability could lead to significant benefits, it's worth asking two questions at this point: (1) might there be other ways to mitigate the risk of vote selling under verifiability, and (2) does verifiability really increase the risks of the status quo?
(1) Other Mitigations
Two possible mitigations immediately spring to mind, there are probably others.
First, we could just make vote buying or vote extortion a serious federal crime, where any whistleblower voter gets some portion of the fine, enough to outweigh whatever they were offered. The new incentive would make these attacks highly risky, as they'd have to involve an improbable number of close confederates you can rely on, but who won't vote the way you recommend without a bribe. This becomes basically impossible to scale.
As a second option, we could instead give voters a true receipt and a false receipt. Voters could privately confirm their vote was cast correctly, but the system would have deniability, the voter would be unable to prove it. Maybe the true receipt holds a secret shared with the election commission that can only be unsealed under credible allegations of outcome-altering irregularities.
(2) Unclear New Risks
The argument against verifiability is that it would suddenly allow proof of vote, and that creates the risks of extortion and selling.
Proof of vote is already trivial in the status quo though. Sure, there are prohibitions on voting booth selfies, but if you had entered into a vote buying cartel, you would easily be able to defeat these with a discreet photo behind the curtain.
Mail-in absentee ballots allow one to fill in a ballot while being directly observed by an attacker.
Despite these possibilities in the current system, there isn't significant evidence that vote buying is a widespread problem, so the risk may be wildly overstated anyway.
If it is not clear we're avoiding a new risk, and if verifiability could dramatically increase the trust in the system, I think it's worth a harder look than most voting security analysis gives it.
That said, this amount to a quibble about one page in a significant piece of research, which is still an admirable summary of the issues in secure voting theory and design.