Secure Internet Voting

In general, I agree with the recommendations several security experts wrote condemning the new overseas military voting system SERVE, because voters used unsecure Windows PCs to vote.

However, in thinking over the matter, I suggest the following method and open it for criticism. It still has many of the flaws in such systems - no physical audit trail, and like all remote voting systems including mail-in absentee ballot, it allows non-secret ballot and vote buying, though it is not much worse than mail-in in that respect.

Here's the proposal. For each registered voter, generate a paper instruction book. In the book, list the choices they can vote for, and with each choice provide a multi-digit number to enter. Also provide a longer master number for the whole ballot. In addition, after each number, provide a second "ack" number.

Thus you might see a ballot with:

  • George Bush: 8741 / 9832
  • Al Gore: 9843 / 4382
  • Ralph Nader: 0438 / 2833
  • ...

The numbers are different on each ballot. The voter enters the master number and then the sub-numbers. The election server, combining the numbers can determine who the vote is for. Only the exact numbers will work (any other will generate an error, and only so many errors will be allowed.) It should not be possible for a program not knowing a secret known only to the master computer to map the numbers to a choice.

When the vote is cast, the master server responds with the ACK number, which again only it knows how to generate. The voter confirms the ACK number is correct. The voter -- if they trust the master voting web server -- can be assured that their vote was registered, as desired with the master voting web server.

There's nothing a man-in-the-middle, including a trojan program that has taken over the PC, can do to circumvent this. They can't change the vote, see who the vote was for, or stop the vote from being recorded without the secrets known only to the master vote computer.

And thus it should work from any unsecure web browser and in fact would work fine from a telephone. As long as the numbers are long enough to avoid any guessing attacks.

Though again, we are completely trusting the master web server and its security.

Vote buying is easy with all mail-in ballots. Just ask the bought voter to give you the ballot to mail (or to fill in) and you can check it first. It's also easy to do here. It is slightly easier because you can provide software to confirm it but it's really not a lot easier.

To the system, voting can still be anonymous, as there is no need to connect a registered voter with a particular ballot card. Let them, once confirmed, pull a random ballot card from the pile, or mail them one. Of course the ballot cards with the magic numbers must remain secure, as must all mail-in ballots.

Anybody find a window into this system?


there is no way u can make sure that a minor or somebody else that just happed to seal theremail isn't doing to acual voting


I assume that, in system you describe, the generated voting codebook-ballot would be anonymous (unassigned) and not reusable. They could be unique, but it might be sufficient (and more anonymous) to create a set of voting codebook-ballots, say, 10000 variants in similar quantities. The codebook-ballots would need to be shuffled before distribution.

During the tallying, if a particular codebook-ballot variant had too many votes for it's designated quantity, then ballot stuffing would be detected. If excessive erroneous codebook-ballots are scanned, then counterfeits would be detected.

A known quantity of parallel, error-checking codebook-ballots could be submitted by auditors to test that votes cast are actually tallied.

I had a similar idea during the 2000 election fiasco, but it was oriented around verification of the tallying. The idea is that verifiers would be "blinded" (in the crypto sense) from knowing what votes were being added up. Since blinding occurs after the vote is cast, the manner in which the vote is cast is not affected.

A systemic solution to a close race with N candidates with N>2 is to have the voter rank the choices. Sometimes this is called "an automatic runoff". This is a more expressive voting system that captures more information and it completely neutralizes the problems of strategic voting (the problem being that voting against a candidate hides a truely desired vote). This kind of voting is not new, it was used in the Roman Senate.

The news media would not like it at first because it would seem to be difficult to turn the process into a horse race. Although the tallying would keep track of accumulated permutations, these can easily be digested into a ranked list. When the results are final, the complete histogram of permutations would be more revealing about runners-up and this information would be able to affect the campaigns of the next election. With this system, a 3rd candidate cannot be a spoiller but could still inject more ideas and discussion into the race.

Add new comment