Improved voting

A verifiable and resilient voting system

Nobody is in favor of the power going down. Nobody is in favor of all cell phones not working. But an election? There are sides. Half of the country will want the result to stand and half the country will want the result overturned; they’ll decide on their course of action based on the result, not based on what’s right.

In this chapter we’ll look at some of the problems with the way we vote and how we might use cryptocurrencies (or “the blockchain”) to make an improved voting scheme.

I say they might help because it’s not a use-case where I know they will provide value, it’s still unclear how much benefit it would bring and blockchain voting may even be a fundamentally bad idea. But as I’ll argue there are some very good properties it can provide, so the idea isn’t so bad it can be thrown out directly.1

1If you’re skeptical then don’t worry—I’m not entirely convinced of this use-case either. I had written the chapter and was going to throw it away, but in the end I decided to keep it. If anything I hope the discussion is interesting.

Bush v. Gore

But why do we talk about improving voting? What’s the problem with the way we vote? Hasn’t voting on paper and having people count them worked great for us so far?

Firstly we shouldn’t avoid looking for improvements just because the “old way” worked well. If so then we wouldn’t have faster cars, bigger TV-screens or more effective medicine—the previous versions already worked well enough. There’s always value in making something better.

But there are also serious problems with our voting system. A great example of some of them is the United States presidential election of 2000, where George W. Bush edged out Al Gore in a historically close election, at least according to Britannica, which I use as a source for the events.2

To say that the election was close does it a disservice. After a day full of uncertainty, where Gore had called Bush to concede the election just to withdraw it later, it was clear Florida would be the decider. Bush appeared to have won in Florida with a margin of roughly 0.01%—a couple of hundred votes out of six million votes. This was so close that a machine recount was made, which showed that Bush had indeed won with only 327 votes!

Here we need to realize that the machines aren’t computers that just count the votes digitally. They’re machines that take the ballots, examines them and tries to figure out what vote is marked (or punched) on the ballot.3

The problem here is that some of the ballots weren’t in good condition. Some ballots weren’t punched through completely (so the machines couldn’t detect the votes), others had voted for the same office multiple times or were incomplete in other ways. With the election being so close it’s easy to see that these votes could very well change the outcome. Therefore the Florida Supreme Court ruled that these questionable ballots should be recounted by hand.

Because the stakes were fairly high (an understatement I know) there were a ton of legal action, and charges of conflict of interest were pushed by both parties. At the end the U.S. Supreme Court overturned the Florida decision and put a stop to the recounting, awarded Florida’s votes to Bush and that no recount could be held in time.

So in the end the Supreme Court decided to end the election and might’ve changed the outcome in the process. That’s a pretty big failure of the voting system right there.

2I find it interesting that Gore got more total votes, but won fewer states, so he ended up losing the election.
3Then there’s the infamous Butterfly Ballot disaster. Palm Beach County used ballot design that was so bad that perhaps more than 20,000 voters voted for the wrong candidate or mistakenly voted for multiple candidates.

The problems with paper voting

One of the issues with the U.S. election is that there are essentially only two parties and the winner of the election takes it all. Therefore such a small difference as a couple of hundred votes did have a huge impact. If Al Gore had won, our world might look completely different today.

But we also saw some problems that are caused by using paper votes:4

  1. Inexact vote counting

    Humans counting votes will inevitably have a margin of error, but so will these voting machines that cannot see what we humans can.

  2. Counting votes is slow

    Counting, and recounting, can take weeks and at the end of the 2000 U.S. presidential election it would supposedly take too long so the human recount was skipped.

  3. Invalid ballots

    What if you accidentally leave a mark on an unintended place on your vote? Or if you don’t leave a big enough mark? Now your vote might not count.

  4. Corruption

    Why was a human recount ordered and why was it thrown out? Who decides if a questionable ballot is invalid or not? These are all human decisions that are vulnerable to corruption (or incompetence).

4I refer to voting with physical ballots as “paper voting”, but the exact way we vote can differ. In the U.S. they used punchcards where you create a hole next to who you want to vote for, while in Sweden we select a piece of paper corresponding to the party we want to vote for. In other cases you might use a pen to leave a mark or write who you want to vote for.

The problems with electronic voting

In order to address some of the problems with paper voting, electronic voting is growing in popularity. The benefits are clear; you avoid the problem with questionable ballots and vote counting is precise and instant. But there are significant drawbacks that make them a very bad idea:

  1. Lack of transparency

    How do you know that your vote has been counted correctly? That the machine didn’t switch it out for some other vote? An electronic voting machine is largely a black box, one we’re not sure how it works so we just hope it does the right thing.

  2. Hacking

    It’s much easier to hack electronic voting machines—to change votes from Clinton to Trump for example—than to hack paper voting. With paper voting you’d have to have people on site to exchange paper votes for new paper votes, but hacking a computer can be done from the other side of the world.5

  3. Corruption

    In the same way hacking is a worry, so is corruption. If you want to influence votes all you’d have to do is switch out or reprogram the voting machine, and after that nobody would notice. With paper voting it’s harder since there are many more constantly watching what happens to the votes, so you’d have to bribe more people to get away with it.

  4. Privacy concerns

    Paper voting preserves your privacy very well. You walk behind a screen, select a paper and put it a box with hundreds of other papers, making it basically impossible to trace that one vote back to you. Simple and very effective.

    Not so with electronic voting. The voting machine needs to verify your identity some way and computers can—and therefore we must assume they will—record everything that happens on it. This is information that a hacker or election worker could gain access to, and would be able to see exactly who you voted for.

    Consider for example what would happen if the future government becomes corrupt. Like if a Nazi-like party comes to power and they decide to punish those who didn’t vote for them in the election?6

  5. Understandability

    It’s easy to explain how paper voting works; you just count the pieces of paper and tally up which name occurs the most. It’s much more difficult to explain how electronic voting works and what makes it trustworthy.

    How does it for example prevent someone from voting twice? With paper voting there are people who checks that you’re only placing a single vote in the box, but how does the computer do that? How do you know the computer counted your vote correctly? And how will the election worker know that connecting a USB memory stick into the voting machine opens it up for attacks?

    This is a general problem with technology, as people are often too trusting of them. We think they always do the right thing, but we underestimate the risk for faults or vulnerabilities in them. Just take self-driving cars as an example; they’re still very much unsafe—both for passangers and pedestrians—but people don’t seem to realize it.

    Understandability is important because people have to trust their election to be fair. If they don’t trust their votes being counted correctly, then they can’t trust the outcome of the election either.

For a convincing case against electronic voting I recommend Jennifer Cohn’s article America’s Electronic Voting System is Corrupted to the Core.

On the other hand many of these problems can be mitigated, see the paper Public Evidence from Secret Ballots for a good rundown.

5There’s a lot of focus on “hackers” being a problem, but there are less nefarious problems too. For instance the app used to tabulate votes during the Iowa caucuses in 2020 was inadequately tested. It simply didn’t work properly, which is always a risk with software.

6In 2015 a database on the web had personal information on registered U.S. voters, 191 million in total. It contained your full name, home address, mailing address, phone number, date of birth and whether or not you voted in any election back to 2000.

And it wasn’t even a hack. The database was just lying there, open for anyone to read. It’s like if someone had left a paper in the middle of the library, available to anyone who happened to walk by.

With electronic voting this database might’ve also contained who you voted for.

A blockchain voting system

As an alternative I’ll try to present a high level description of a blockchain voting scheme, which have some very good and beneficial properties:

7“Don’t trust, verify.” is a popular saying in the cryptocurrency sphere. A prerequisite is to have an open system that you can verify.
8Even if possible, is it desirable to get a real-time update of voting? Couldn’t that affect the election in a bad way?

The scheme is similar to tokens that we discussed in the previous chapter. Here the issuer is the government, who still needs a way to identify voters and to give them a token (a single vote). The process would be similar to how it works today, where people have their identification verified by voting officials when they go to vote.9

With the tokens distributed you could cast a vote by sending them to predetermined addresses to cast your vote. For example if you want to vote for Trump, you send it to the Trump address. If you want to vote for Hillary, you send it to the Hillary address. And if you don’t want to vote you don’t do anything.10

One vote is given out to each person, who then sends it to their voting address of choice.
Each arrow corresponds to a token transaction and the “Hillary” and “Trump” boxes are addresses. The state is responsible for issuing the voting tokens to the voters and the voters in turn send them to the address they want to vote for. In this example Hillary got 1 vote and Trump got 2, and everyone voted.

These transactions work like cryptocurrency transactions, so you cannot counterfeit them or manufacture votes from thin air. Well, the state could issue new votes, but everyone can see exactly how many votes they give out, so if they give out more votes than eligible voters in the country… You know something is wrong.11

It’s easy to count the votes—just check how much each address holds. It’s also easy for you to see that your vote has arrived to the correct voting address, and if it did you know your vote will count.

9While I focus on government elections, voting is useful in other contexts too, for example shareholder voting or votes in a leaderless organization. (In my head I see a bunch of people sitting around a table, shrouded in shadows, voting on who to kill.)
10It’s easy to give multiple options. For example if you want to be able to differentiate between those who don’t care, and those who want to vote but not any candidate, just have an additional “blank” address voters can send to.

11Then how do you know that the votes are given out correctly and that the state distributes them fairly? The same way it works today—the voters are holding the state accountable.

Of course this this means that this voting scheme cannot fix voting in highly corrupt countries, only magic can do that.

Unsolved problems

The scheme I’ve presented is simple—too simple. There are many problems with it, some that are solvable but others that I don’t have an answer to.

12Imagine for example if all voters had to go through a mixing state, where people trade a vote for another vote. If done correctly the state can’t connect the final votes to the identities, while still be sure the right people had the ability to vote.
13BankID is distributed by banks and not by the state, but in principle there’s no reason why a simlar system couldn’t be.

14Vote buying, or vote coercion, is really an unsolvable problem. Even if you have on-site voting with perfect secrecy, it’s still vulnerable to people bringing a hidden camera that records the voting process.

The best we can do is reduce the target surface, and for an electronic voting scheme you’d want the ability to verify that your vote was counted correctly, but without you being able to prove how you voted.

Why a blockchain?

The big question to ask is why would we want voting on a blockchain anyway? Why would we want to record our votes on a permanent database, when we might even want to allow people to change their votes before the voting is over? Why design a voting a scheme on an extremely inefficient system—that all cryptocurrencies and blockchain applications are?15

As pointed out in the paper Public Evidence from Secret Ballots it’s possible to create an end-to-end verifiable electronic voting scheme even without the blockchain—which isn’t surprising since the blockchain is just a database. They also say that because we already trust a central entity to give out the voting privileges, we can just trust them to publish a ledger of the events, making the blockchain obsolete.

They say a lot of other things too, and I recommend you read the paper as it goes through a lot of the difficulties and possible solutions with voting systems. It’s not as simple as I may have led you to believe.

They’re right that trust isn’t an issue, since data will be independently verified for correctness anyway, but I don’t agree that it makes a blockchain useless. A fault tolerant system—such a blockchain—is inherently more difficult to disrupt. Because anyone can help collect, distribute and verify votes it doesn’t matter if the government’s servers gets overloaded in a Denial of Service (DoS) attack—as long as people have internet access the voting process will be uninterrupted.

While there are benefits to blockchain voting, there are many problems we need to solve first, with the privacy problem being the most important. And it’s possible that when all things are considered, maybe paper voting is best after all.

15Then again if we want a publicly verifiable voting system, where all data is publically available, we must assume it will also exist forever. (On a related note this is the assumption we all should make when we interact with social media. The internet remembers.)

The only thing we might gain by skipping the blockchain is efficiency, which certainly shouldn’t be disregarded.