The informed might now become fully aware of all the limitations and problems with it which might cause them to swing too far the other way, in contrast to their previous optimism.
At the same time, however, being aware of these limitations hasn't become mainstream, so the uninformed have to go off of other information - marketing materials and hand wavy explanations of how blockchain will eventually be good for a large variety of problems.
The truth probably lies somewhere in the middle, as it has with most technologies.
While the US system is completely ossified and unresponsive to popular demands, proposals to make voting on everything both ignore the power dynamics at play, voter fatigue, and history.
In the 1789 French revolution, they did try having votes to try to get more and more government officials elected after the overthrow of the ancien regime, but the votes were so frequent that people stopped showing up and the elections became barely legitimate.
Other than that, software elections are prime for tampering, and even if they are determined to be secure by experts, suddenly the mechanisms of democracy are opaque to the masses and become untrustworthy. Making votes less understandable de-legitimizes them.
Lastly, the reason for the ossification of American democracy is due to the fundamental oligarchical design of the 1787 constitution that explicitly saw mass politics as mob rule and feared it. They designed the branches of government as a series of baffles to counter popular sway over policy making, hence a Presidency that requires a vote so large they are responsible to no one in particular (though originally they were elected indirectly by electors), a Senate that was indirectly elected and designed to void popular proposals coming from the house, and a supreme court with lifetime terms that are totally unelected. As an aside, their theory of the separation of powers was that the elites would be mostly in agreement on fundamental issues and fight over control of the branches of government. They were in large part wrong, factions of opposing interests developed and managed to capture the entire government in cycles (so we are living in an edge failure case of the original design).
This system, plus the domination of the economy by wealthy interests, first the slave owning planter class and later the capitalist corporate class, prevents and subverts popular democracy at every turn except where the public's preferences coincide with the real rulers.
Voting is simply a preference expressed to the rulers. It doesn't in any way carry a mechanism for enforcement and enactment and is highly susceptible to all kinds of manipulation, especially when voters are individualized and do not deliberate in organizations and vote in blocks.
If you want your voice heard, take to the streets and/or join an independent party that include non-electoral tactics such as strikes.
>Needless to say, this entire post is predicated on good blockchain scaling technology (eg. sharding) being available. Of course, if blockchains cannot scale, none of this can happen. But so far, development of this technology is proceeding quickly, and there's no reason to believe that it can't happen.
The reason to believe it can't happen is that it hasn't. like factoring large numbers.
First of all, this is an old article (also discussed at time of publication, I believe). Second of all, it seems to be a headline-grab during the "fake election" foment of earlier this year, and contains nothing particularly substantial.
I will say, it's a bit funny that Buterin's thesis is "voting would become much more efficient, allowing us to do it much more often." This is just printed as apriori true (and good -- at least in a societal sense), but our democracy (at least in the States) is representative. In my heart of hearts, I'd love to believe that a direct democracy is the "best" form of government -- tangentially, this is the argument of most DAOs. Unfortunately, I just don't think this is true. Most people are dumb, easily manipulated (not coerced, as Buterin belabors). Dumb people voting all the time is a recipe for disaster.
W. E. B. Du Bois makes a great case for this in his The Talented Tenth[1].
I don't think he's arguing that voting for a presidential election should be done all the time, but you can use this mechanism for voting on things that would be unfeasible to vote on with paper ballots. Local issues that can be voted by the whole citizenry instead of just a city council. Instead of voting for people that can make decisions for you, you can make those decisions yourself alongside all others who are interested. It seems like a pretty democratic idea to me.
The whole setup of blockchain voting ignores the vast economic pressures at play here. Blockchains only work if the payoff for cheating the system is lower than the cost of PoS or PoW or whatever consensus mechanism is at play.
The issue is that the results of major elections have truly massive economic consequences.
A president of the US has a powerful say over trillions of dollars in funding.
Meanwhile, total mining revenue for something like Bitcoin is "only" $18 billion per year.
Like I said a little higher in this thread, I don't think that the concept of electronic voting using a blockchain ledger needs to be mapped on the concept of cryptocurrencies.
The way I'm thinking this can work is having an organization (the tallier) that creates ledgers for a particular vote (ie, a specific question being asked: Should our city allow construction on Lot A1?)
The "voter" can submit a request to participate in this vote in an "enrollment" step. The success of this process leaves the voter with a public/private key that is known to the "tallier" (the public part) and allowed to vote but is not a direct way of identifying the "voter".
In the voting period, the above key can be used by the voter to cast a ballot (a yes or a no in the example), the payload of the vote can not be decrypted unless you are the tallier, from the outside you can only see that a particular key has cast a ballot.
The tallier can see that one of the enrolled keys has cast the ballot, it decrypts the vote and adds it to the tally.
Once the voting ends, the tally is finalized and the ledger is closed and archived.
Why does this require blockchain ledgers, you might ask. Because the information in the ledgers, the voting one and the enrollment one need to be public and at the same time tamper proof. If there's another technology that can offer that, maybe it should also be a candidate, but personally I haven't researched enough to know of one. :)
I think that a lot of people in this thread seem to not realize that blockchain is not just cryptocurrencies.
I grant you that the topic of how a voter is allowed to vote is not discussed properly in the article, but I don't see that the assumption is made off hand that you need to own BTC or ETH to do so.
My own interpretation of this is that such a voting ledger would be free to participate in and interacting with and, it would be regulated by some mechanism of enrollment based on electronic identification.
I replied to this somewhere else in the thread, but the main benefit is the fact that the ledger can be stored publicly, unlike a database. This allows for better transparency and auditing when it comes to how votes get submitted to it.
Someone else said that a git repository can be used for a subset of this mechanism also, and I agree mostly agree.
So probably a crypto ledger is not the only way to implement a transparent method of electronic voting, but it has a lot of the properties that are required for it.
Databases can be made available publicly. And a permissioned blockchain is controlled by third parties that can control what gets written to it, just like a database. You can have a public database that anyone can download and audit, and that can be rendered effectively immutable via that auditing.
Transparency is also problematic for voting records since votes need to be private to prevent coercion. The fact that I don't know how you voted is a security feature that prevents me from threatening you to vote a certain way.
And once you've watered down blockchain to mean 'git' then its lost most of its meaning. And why do you need a merkle tree in that case? Why does your data need to branch? Why do you need diffs? Why do you need anything more than a table full of votes?
You could do some kind of cyrptographic signing of votes so that it established a cert chain for a given vote, but hid the identity other than perhaps zip code, so then it was auditable that the CA had signed a given number of certs from a zipcode and that a given number of votes had been received from each zipcode so that it was auditable that way, while producing public voting results at a geographical granularity (zipcodes with very small numbers of people might still be a problem). But none of that requires what we consider to be blockchain crypto in this day. You don't even need git, you just need a PKI and some old school 90s era cryptography and a database.
I don't think there's a way to make a database public in a binary form at scale. Any other format than binary would not represent the real data in my opinion.
Votes need be private only in as much as who is the voter, I replied in post #28976010 with how this would be handled, but the basics would be that there's not a direct way of linking a voter with their public vote.
The merkle tree is needed for the same reason as in git, to have a well defined relationship between votes. Branching is for having multiple vote items in the same ledger. Diffs are for auditing.
I'm not saying that a blockchain ledger is the definite technology for storing this kind of information, but to me it looks like it has a lot more desired properties than a database.
In the end you need blockchain technology to have a chance to sell this to people. If you bundle a certificate authority and a postgres database with a crud interface nobody will be excited by it.
The first iteration of this type of software needs not be perfect, it needs not be used for electing the president of the Universe, it is fine if a company uses it for selecting the color of wallpaper for the break room. We need to start doing things in this direction, because the world is getting bigger and the populations grow bigger and paper ballots won't scale forever, and most importantly it could lower the effort for participating in elections to the level that politics can be reimagined into something that resembles a democracy better.
[edit: sorry for the pathetic last part, but I feel pretty strongly about this]
I think the Tom Scott video on electronic voting from years ago remains the most convincing argument to me that it's a bad idea (https://www.youtube.com/watch?v=LkH2r-sNjQs). To summarize, even assuming you can solve properties like correctness, censorship resistance, privacy and coercion resistance. The fundamental problem with digital is that any exploit of any of these properties you ever have scales really well. Messing with a paper election requires a lot of people working together across the entire country. A digital hack just requires one smart person
Yet many rich democracies have been using electronic voting without issue. There’s an entire field of science and engineering for securing digital democracy, don’t take a single YouTuber as your source (ftr, I like Tom Scott’s videos too)
And on top of that there was massive fraud with votes due to re-voting option existing. Certainly Russia isn't a country that you want to take as example in anything related to democracy.
Personally I'm not convinced that an attack against an electronic ledger can scale in all cases.
If the model of an electronic vote relies on individual keys having cast votes (following something like a vote enrollment), the attacker will have to spoof all those keys for the result to look authentic and at the same time be malicious.
Depending on how those "keys" have been generated in the enrollment, this could be difficult to scale. The most basic premise would be that the "tallier" and the voter create this key together, and once committed to the ledger can't be tampered with by any of them. A vote must be signed with this key. The voter can override their vote at any time while the election runs. (This is something that I'm paraphrasing from the article actually)
This does not scale as it requires a malicious actor to hijack enrollment and voting for a large number of voters. If enrollment is being done based on a physical device (eg, electronic ID card) it's even less so.
Electronic voting isn't a bad idea. Paperless electronic voting is a bad idea.
I will never trust voting machines that do not print and store a paper ballot. But it's practically impossible to change or remove votes with a machine that does store them.
Once the votes are recorded (on paper), you only need to do two things:
- ensure the paper count matches the electronic counts
- ensure the paper count matches the count of voters
You can also spot-audit or fully audit the results to ensure that the tallies for individual candidates match between paper and electronic tallies.
I didn't read this thoroughly enough for much comment, but this jumps out:
> But voting also requires some crucial properties that blockchains do not provide:
> Privacy: you should not be able to tell which candidate some specific voted for, or even if they voted at all
While the content of the ballot is sacred, the act of participating in the election cannot be.
The pollbook is a database, with all of the security and maintenance hassle a database implies.
As an election officer and ballot Luddite, I also think that elections argue for lower tech in the case of the ballots.
Tech is swell (reponding on a a Galaxy Note 10+ here) but tangible ballots seem a hedge against shenanigans that no multi-page mathematical proof of block-chainy grooviness can penetrate.
This article reminds me of every other article I've seen about blockchain voting. None of them start with a threat model. None of them talk about what's broken with voting. Mostly they just dive into technology, relying on the reader's imagination to address these points.
Here are some simple questions:
1. What are you trying to protect in a vote?
2. Why can't an SQL database with whatever levels of cryptographic assurance you'd like to add do the job?
3. What does a blockchain add to (2) that no other technology does, regardless of cost?
These questions are never answered, and indeed they are not answered here either. Instead, these articles lead with technology and rarely get around to what matters.
Often there's something like this included in the article:
> Blockchains are a technology which is all about providing guarantees about process integrity. If a process is run on a blockchain, the process is guaranteed to run according to some pre-agreed code and provide the correct output. No one can prevent the execution, no one can tamper with the execution, and no one can censor and block any users' inputs from being processed.
No. A block chain is a timestamping mechanism. Within certain very narrow boundaries, it makes certain guarantees about the relative ordering of events. A tamper-resistant log file? Yes. A solution to voting? Does that involve relative event ordering? If so, is that the central problem?
Electronic cash systems like Bitcoin will work work just fine without a blockchain, provided they can solve the double spending problem. Bitcoin solved it with a system for ordering transactions based on proof-of-work. There are other solutions, but all suffer from censorship pressures in ways that Bitcoin does not.
> 3. What does a blockchain add to (2) that no other technology does, regardless of cost?
Not defending blockchain, but this seems like an absurdly high standard. To me, the cost of a technology is definitely one factor in evaluating what is better or worse for solving a given problem.
I somewhat agree, but with the amount of money that has already been spent on failed electronic voting systems, I think "regardless of cost" is pretty accurate here.
It might be a bit strong — I would phrase it as “What does a blockchain do better than the alternatives?” — but I think it's justified in this cause because of how inefficient blockchains are for most problems. It's not just the cost of all of the extra hardware but also the design impacts of what operations you consider fast and the reliability impact of a shared global view.
In particular, in this case the question I'd be asking is “how is this better than PKI?” because that can do the job with multiple orders of magnitude less overhead and would be suitable for use in scenarios with limited bandwidth or which are completely offline, which is realistic for voting.
Right - it seems like at most what you want is a Merkle tree published at the end of the election, with all counted votes (in a coercion-resistant way, using the mechanisms described). Need to order events to support a more complicated protocol? Do a "Merkle linked list" (i.e. a blockchain-ish thing but without a consensus mechanism, like a TPM PCR+audit log combination).
Why do you want to use a public blockchain? Well, they try to explain that.... try.
"So why is a blockchain better than a special purpose bulletin board? The answer is: setting up a k-of-n system that's actually trusted is hard, and blockchains are the only system that has already solved it, and at scale. Suppose that some government announced that it was making a voting system, and provided a list of 15 local organizations and universities that would be running a special-purpose bulletin board. How would you, as an outside observer, know that the government didn't just choose those 15 organizations from a list of 1000 based on their willingness to secretly collude with an intelligence agency?
Public blockchains, on the other hand, have permissionless economic consensus mechanisms (proof of work or proof of stake) that anyone can participate in, and they have an existing diverse and highly incentivized infrastructure of block explorers, exchanges and other watching nodes to constantly verify in real time that nothing bad is going on."
"anyone can participate in" is absolutely hilarious in this context. It's true, in the sense that pretty much anybody can buy a few kilograms of gold- if they have the money. Proof of stake is the most obvious here, because it's literally "the more money you have the more power you have"- there's SOME argument that this makes sense when the decisions made by stakers directly relate to the value of Ether, the idea being "rich person won't try to manipulate consensus, because that would make them much less rich" (especially if they actually get slashed). i.e. they have a stake in keeping consensus fair. But doing real-world elections breaks this entirely. Proof of work functions similarly, just indirectly, and also while spewing CO2 into the air and sucking down semiconductor manufacturing capability.
Now, a common answer is "well, yes, but we could detect that manipulation happened after the fact, and then re-hold the election or whatever, possibly slashing malicious validators if we can somehow encode that into the protocol at a lower layer". Congratulations, you've figured out why blockchains are useless here. The actual security comes from being able to detect fraud- and a single Merkle root published by the government per election (and signed, so any forks could be immediately detected and proven bad).
In other words, you want Certificate Transparency, not Ethereum. CT solves exactly the problem Ethereum tries to solve here, and does it much better, and without the obvious conflict of interest cryptocurrency voting advocates have (that if a government did use, say, Ethereum for elections, it'd drive the price way up, so anybody advocating that who also holds Ether has a bit of a credibility problem right out of the gate!)
And this is all predicated on cryptographic voting being a good idea in the first place - in the short term, it's just not. You can verify the protocol, but you can't verify the endpoint- are people going to vote on their own devices? Just wait til the first claims (justified or not) that a major botnet flipped votes undetectably (and coercion-resistance guarantees that it really can be done undetectably). Or maybe on voting machines like we have today? Take a look at what happened to Dominion last cycle- so much for making elections more trustworthy.
Paper is actually incredibly useful here, because it doesn't run code and everybody knows it. (You could say "oh this CPU has all its code in mask ROM and the code is formally verified" and maybe I c...
The second half of that summarized: if you want to do cryptographic voting, OK- but print out paper ballots too, with both the votes in human-readable format and a QR code or something containing a hash of the protocol transcript or something that allows confirmation that the cryptographic vote matches the votes printed on the paper. Then do risk-limiting audits.
I don't find your model of the paper ballot much safer than the one of voting through an electronic device. Yes the paper might say you voted for A, but the chain of interactions between you placing the vote in an urn and the vote being counted for A, is as long and as uncertain as in the electronic model.
You choose to trust the humans more, which is fine, but applications (or why not) devices with a well defined audit trail that they're doing what they're supposed to do are equally trust worthy (at least for me).
> 2. Why can't an SQL database with whatever levels of cryptographic assurance you'd like to add do the job?
> 3. What does a blockchain add to (2) that no other technology does, regardless of cost?
I'll preface this by saying that I'm not a blockchain expert, but from the comfort of my own armchair I consider that the main benefit over a regular SQL database is the fact that you don't need to make it secret and protect it.
There might be other methods for storing a well-ordered list of events in a difficult to tamper with but at the same time public repository, but I don't know of any.
> I'll preface this by saying that I'm not a blockchain expert, but from the comfort of my own armchair I consider that the main benefit over a regular SQL database is the fact that you don't need to make it secret and protect it.
What are you needing to make secret or protect?
> There might be other methods for storing a well-ordered list of events in a difficult to tamper with but at the same time public repository, but I don't know of any.
Look at all the repositories up on github that are doing exactly this. I don't know why you would need to store voting results as well-ordered, but if you wanted to it's easily possible.
Non repudiation and transactional sequencing and public
Ledger, no problem. Merkle trees, no problem. Block chain is instant problem. It's just crap marketing of fundamental concepts that we need and do use.
It's like confating good statistical methods with marginal use cases for the techniques.
Most people understand that you can trade speed or quality. I do not understand why the uniformed public thinks learning about potentially inaccurate election results quickly is preferable to accurate election results slower.
I'm happy that this article recognizes the need for coercion resistance. But the second problem is stated too weakly: the issue isn't that voting software is insecure, it's that it's too complex.
You could convince a person who doesn't know how to read that paper ballots are a working system (vote box is empty; votes go into box; box is emptied and all votes tallied). Only a small fraction of society could be convinced of the correctness of the tallying scheme in Fig. 2.
You could argue that there are a lot of facets of modern society that the average citizen doesn't understand the details of, but voting is the cornerstone of democracy. Public trust in the voting system is crucial. The only way to reliably achieve that is through an understandable system, and so far the only understandable voting system I've seen is paper ballots.
> the issue isn't that voting software is insecure, it's that it's too complex.
That's a great point, and quite understated. However, perhaps the key factor is not complexity itself, but being able to be trustworthy and transparent enough to ensure that the whole process is unquestionably fair.
If anything, recent events demonstrate that, even if elections are free and fair, electoral systems can and will be attacked with the goal of casting doubt on the outcome to try to subvert its results. Any part of an electoral system that relies on non-trivial processes that are not easy to explain, understand, or verify is a part of the process whose credibility can and will be attacked.
If you've followed the entire "voting fraud" debacle of the 2020 presidential election, there were an absolutely brutal amount of outlandish ideas of how the vote was manipulated using technology. Something something satellites and the Vatican and CIA killing people over a briefcase in Frankfurt and Hugo Chavez' spirit and Dominion voting machines and the router logs and mysterious traffic and Chinese IP addresses and god knows what else kind if idiocy was dreamed up.
But all of that, every single crazy piece of it, is completely irrelevant, because at the end of the day there exists a collection of paper ballots that represent how people voted in the election. Anyone can count and recount those ballots to their hearts content, and doing so is incredibly simple. You just divide the ballots into piles according to what their vote is for, and then you count the size of the piles.
Anyone can do that. Children can do that. Senior citizens can do that. No technology required, no technological understanding is required, and no technological bullshittery can cast uncertainty on the result, as the Arizona fraudit hilariously discovered when they divided the paper ballots into piles and counted them and got the same result as before.
The way to solve the problem of untrustworthy technology is not to have some geniuses come up with a bulletproof crypto-secure blockchain buzzword voting scheme that us mere nerds can understand after having it explained to us. The solution is to remove technology completely from the equation, and paper ballots and envelopes and urns are the way to do that.
For completeness some of the theories included that paper ballots were tampered with, falsified, or not counted correctly.
Seems a little less outlandish than the idea that there was some vast conspiracy involving Trump and Putin to hack the previous election, but I guess that's not a high bar.
i've always thought the way to do this would be to combine paper based ballots with multiple counting apparatus that are operated by the competing parties and the state.
i fill out my slip and i run it through the red machine, the blue machine and the county machine. they all display a hash/sum of the total counts thus far, i verify each machine has the same thing on its display, i put my paper into the lockbox at the end and done. then when the election is over, the counts agree or they don't, and if they don't there's a big public rescanning.
of course the big threat is coercion. if one of the parties put a camera on their machine that sees me put my slip in, or they're counting ballot sequences, they can match my vote to my identity... but... since each party has representatives present to watch over their machines, they also can also check the machines of each other for those sorts of things. (ops and election watching become one and the same)
it would just be cheap document cameras and socs with open source software. totally doable, i think. you could even have like, different hardware architectures for each group if you wanted to protect against nationstate level hardware attacks.
also, i'm sure there are things in that rich literature of voting crypto that could also help with obscuring voter identity... but hey, this would be a good start.
it's not blockchain, but it takes one of the biggest ideas from cryptocurrency, i think. (double/triple entry accounting)
sure, but there's this notion of "oh the election is crap because shady things happened in the back room." if you have three counts, which shouldn't get out of sync in the first place, then the margin for contesting the election shrinks considerably!
although, of course, there is no technical fix for someone who trolls the process if they don't get what they want. i do think there's value in making it feel a lot more like there's less blind trust in times of contentious elections though. maybe it would just be theater and not really achieve much more than what we have today in terms of real security, but if by showing realtime hashes of the counts that agree as a voter scans their votes in each machine, especially if one of those machines is operated by people they trust, increases trust in the process, then it seems a great net win.
I trust people (as a group; individuals can be real dicks) more than a literal black-box that can’t really audited because the software is proprietary.
As noted elsewhere, election fraud with paper doesn’t scale well. With software, it might (depending on implementation).
HN's perception of what's going in the decentralization and crypto sphere - commonly grouped under the "web3" moniker - is startlingly out of touch. There is incredible engineering going on and I know it's hard to see past the cryptobro noise, but the cypherpunk thing we all fetishized in our early years is happening _now_, not in the 80s and 90s.
The incredible engineering solving real problems better than before? There's so much noise that it's hard to find people shipping solutions for real problems rather than describing a hypothetical future state.
Part of the issue might be that there aren't a lot of conventional problems being addressed here in the same way that relational databases or spreadsheets addressed the problems of the business world of the day. A lot of the engineering going on that's impressed me has centered around DAO operations. If 10 years ago someone told me that there'd be multi-billion-dollar treasuries governing themselves without a conventional leadership structure, I wouldn't have believed them. There are obviously problems with some of these manifestations to date, but there's also an unbelievable amount of effort being put into them. I recommend you check out how Shapeshift(a formerly private company, now DAO) is structured.
I am actually involved in web3 app development, but do you have any examples of where any of this engineering even applyable to real world problems?
I see a lot of potencial, but so far only real use I see is crypto being good financial system replacement for people living in failed state / authoritarian regimes. It's enough to justify it's existence, but who suppose to want web3-powered tech in countries with working law? And why?
I think decentralized identity has a lot of potential. Using a web3 app was kind of an eye-opening experience to me - I didn't make an account, and the developer of the app isn't managing the data involved. There's tradeoffs here from a usability and security standpoint(now I'm responsible for everything and nobody can help me if I lose my keys). But I think this stands some existing preconceptions about the way the web _has_ to work(just because it always has worked that way) on their head.
The three questions I always ask for an identity solution:
1. What's the barrier to using your app? Past experience suggests that large numbers of people will drop off as difficulty ramps up unless you're either giving away money or gate-keeping something people have to use (e.g. your insurance company's signup process can be terrible up to the point that you switch).
2. Who handles impersonation? (e.g. how do you keep someone from making the news by registering “donaldjtrump” and posting something?)
3. Who handles user error or compromise? e.g. if my phone or laptop is stolen, how screwed am I?
1. The barrier is using a wallet of some kind. For me this difficulty kind of goes both ways - one, we've primed everyone already to expect to "sign up" for an account as it is, but in this realm they only need a wallet(a one-time operation). You go to a web3 site and click "connect wallet", approve, and that's it. In order to actually _do_ anything in terms of mutating your wallet's state, you have to willingly accept the transaction.
2. Impersonation depends on the application in question. It is a subject with a lot of attention, and I've seen varying proposed solutions for "proof of uniqueness". This is a good jumping off point imo: https://www.microsoft.com/en-us/security/business/identity-a...
3. This is where things diverge sharply from "web2". There is no "forgot password" or support infrastructure that can come to the rescue. At this current moment you are screwed. But there are some promising ideas that could address this - look into "social recovery".
Blockchain voting is how we get a world where no one trusts the results of elections because very few people have the knowledge and experience to understand and audit such a system.
Should an election be called into question, suddenly the public must rely on only a handful of oracles that can interpret the votes and assure everyone that everything is fine because of "crypto" and "blockchains".
With paper voting, anyone who can count can participate in a recount or audit. In comparison, there are multitudes more experts who can audit an election via paper votes.
> Over the long term, insisting on paper permanently would be a huge handicap to our ability to make voting better. One vote per N years is a 250-year-old form of democracy, and we can have much better democracy if voting were much more convenient and simpler, so that we could do it much more often.
I'm not willing to sacrifice trust and the easy ability to verify elections, or hand control of democracy over to technologists, just so we can vote via apps on our phones.
What!? There are 40 M developers worldwide. If you're developer, you can definitely learn how to read a public database. Faking results on a public database is IMPOSSIBLE.
Impossible? That’s a huge leap. Assuming lots of things are implemented as stated, and done so without crucial bugs, maybe. But neither of those things are impossible to mess up.
> Blockchain voting is how we get a world where no one trusts the results of elections because very few people have the knowledge and experience to understand and audit such a system.
You mean as opposed to the current system that so many people understand and audit?
> You mean as opposed to the current system that so many people understand and audit?
Yes, we already have a trust problem with one of the simplest methods of voting, and the implication is that mathematical obfuscation via cryptography and blockchains can make the trust problem even worse.
The last election had volunteers from both sides of the aisle count votes, while a ton of normal people watched them as observers. Last year, we saw a lot of Trump supporters who were convinced the election was stolen act as election observers. The process is easy for them to engage in, as well as to observe, because they're literally just counting votes. Anyone can observe and see for themselves that nothing nefarious is going on, and they don't need to be experts to do so.
> The last election had volunteers from both sides of the aisle count votes, while a ton of normal people watched them as observers. Last year, we saw a lot of Trump supporters who were convinced the election was stolen act as election observers. The process is easy for them to engage in, as well as to observe, because they're literally just counting votes. Anyone can observe and see for themselves that nothing nefarious is going on, and they don't need to be experts to do so.
And how did all that work out for public trust in elections?
The problem here is that, even if you personally can go validate your local election, anyone can just claim the fraud was somewhere else. A cryptographic voting system allows any citizen to validate the entire election. The value of this is very significant. Right now a right wing website can just claim say, the CA elections were riddled with fraud. The only way to even approach "disproving" that is to request data from the city/state officials...who those people do not trust in the first place. A publicly auditable voting system would short circuit all of those issues.
It doesn't need to be interpretable to every single person. What it does need to have is no specific plausible fraud narrative. Right now Trump et al can simply claim ballot stuffing, or any number of other kinds of fraud. Disproving that requires access to records that most people cannot obtain, and so the narrative can retain credibility for those disposed to believing it.
It's true that most people will not understand the cryptography underlying an auditable voting system, but they don't need to. In order for someone to implant a fraud narrative, they will need to come up with an explanation for how the fraud occurred. Once they do that, it will be relatively straightforward to debunk those narratives in a clear way, that, critically, does not rely on faith in trusted third parties.
> A cryptographic voting system allows any citizen to validate the entire election.
Really? Think about what we saw when the Republicans tried to claim the 2020 election was rigged and ask how a massively complex distributed system would change that.
When someone argues that fake or dead people voted, the blockchain doesn’t help – you can show transactions but that doesn’t and cannot show that they were made by people who were eligible voters, and privacy makes it important that this never change. This is the same reason why blockchain systems like supply chain management fail: if you trust a third-party, you don’t need a blockchain. If you don’t, layering overhead on top won’t change that.
Similarly, I really don’t see how the argument that people don’t need to understand cryptography to trust the system. You’re talking a massive, complex software system run in thousands of locations and, as we’ve seen, absence of evidence will simply be cited as proof that people covered their tracks well. Look at how many people believed conspiracies based on the hex gibberish or Windows security settings which various Trump acolytes were pushing — they had no trouble coming up with explanations which many people believe long after the subsequent debunkings.
The underlying problem is that a blockchain system still depends on trusted third parties. You need to verify that someone is eligible to vote and that their vote was accurately recorded. Think about all of the claims over the years about machines recording votes for a different candidate than the user selected, moving buttons right before someone clicked, etc. – there’s no way to solve that by adding more software. Did a bunch of people get bused in to vote for someone else? A blockchain cannot solve that – you need a trusted third party, and calling them an oracle doesn’t mean that’s not what they are.
What does work is the current system: the fact that bipartisan witnesses watched people being checked against voter rolls, paper being counted, and recounted, etc. meant that most people accepted the results. It’s not perfect but it works well and the fact that it’s distributed means that flaws or cheating don’t scale the way a digital system would.
The danger we face now is from ideologues perjuring themselves, and a blockchain won’t change that because the problem is that they don’t want to accept the results and are actively trying to subvert the system. A blockchain won’t help with the new rules being put into place to allow political interference or suppress voters, but it will distract from the things which might.
> Really? Think about what we saw when the Republicans tried to claim the 2020 election was rigged and ask how a massively complex distributed system would change that.
A massively complex system that can be validated from a single point. That is the key component.
> When someone argues that fake or dead people voted, the blockchain doesn’t help – you can show transactions but that doesn’t and cannot show that they were made by people who were eligible voters, and privacy makes it important that this never change. This is the same reason why blockchain systems like supply chain management fail: if you trust a third-party, you don’t need a blockchain. If you don’t, layering overhead on top won’t change that.
Sure, the fact that it does not solve every problem does not mean it isn't a viable improvement. It solves a large class of trust problems in elections, and is orthogonal to the remaining ones.
> The underlying problem is that a blockchain system still depends on trusted third parties. You need to verify that someone is eligible to vote and that their vote was accurately recorded. Think about all of the claims over the years about machines recording votes for a different candidate than the user selected, moving buttons right before someone clicked, etc. – there’s no way to solve that by adding more software. Did a bunch of people get bused in to vote for someone else? A blockchain cannot solve that – you need a trusted third party, and calling them an oracle doesn’t mean that’s not what they are.
This is not necessarily the case. Cryptographic tokens can be issued to eligible voters. Yes, you still need to trust that the issuing authority is legitimate. But that is much easier to validate. Anyone who feels they are eligible but didn't receive one can say so. Anyone who did receive one can validate that their vote was counted.
> What does work is the current system: the fact that bipartisan witnesses watched people being checked against voter rolls, paper being counted, and recounted, etc. meant that most people accepted the results. It’s not perfect but it works well and the fact that it’s distributed means that flaws or cheating don’t scale the way a digital system would.
Right, but that relies on people in Texas trusting people in California - an inherently unstable system. Allowing the entire thing to be validated from the center is a massive improvement.
> A massively complex system that can be validated from a single point. That is the key component.
…
> Sure, the fact that it does not solve every problem does not mean it isn't a viable improvement. It solves a large class of trust problems in elections, and is orthogonal to the remaining ones.
Can you explain which problems you believe this solves, in detail? It's categorically untrue to say that it can be validated from a single point and I think that's the key gap in these solutions: voting involves people and that happens outside of what a software system can see. You can deploy a VC's dream of ineffective technologies and you'd have made no progress on the core question of whether the votes you tallied were cast by legitimate voters and recorded as they intended.
> This is not necessarily the case. Cryptographic tokens can be issued to eligible voters. Yes, you still need to trust that the issuing authority is legitimate. But that is much easier to validate. Anyone who feels they are eligible but didn't receive one can say so. Anyone who did receive one can validate that their vote was counted.
This adds new problems: if this uniquely identifies the person and their vote, your boss, union, pastor, etc. can demand that you show them you voted the way they wanted to. If it doesn't, you have the problem that it's very hard to disprove claims that a vote wasn't recorded correctly by the system or that someone ineligible was allowed to vote. Doing it cryptographically means that your system is now far more brittle and people have to trust a complex software stack which statistically nobody can audit as opposed to simple, robust paper ballots which can be understood by grade school children.
> Right, but that relies on people in Texas trusting people in California - an inherently unstable system. Allowing the entire thing to be validated from the center is a massive improvement.
How does a blockchain change this? Texans are still going to claim that people in California shouldn't have been allowed to vote for the other party — they'll change the lies they're telling from saying that people are sneaking in bags of ballots to, say, claiming that the voting machines changed votes after recording them, people who weren't supposed to be eligible were allowed to vote, etc. A blockchain won't solve any of the complaints we saw about, for example, dead people voting — that takes local authorities on the ground, all over.
> Can you explain which problems you believe this solves, in detail? It's categorically untrue to say that it can be validated from a single point and I think that's the key gap in these solutions: voting involves people and that happens outside of what a software system can see. You can deploy a VC's dream of ineffective technologies and you'd have made no progress on the core question of whether the votes you tallied were cast by legitimate voters and recorded as they intended.
I mean a system in which each eligible citizen receives a cryptographic token. They use that cryptographic token to vote. At the end of the tallying process, the government publishes a cryptographic object, that allows every individual to compare their token to it and validate that the vote of their token was counted, and counted correctly.
This can be accomplished without facilitating vote buying by displaying a message to the voter at the time they input their vote, inside the voting booth. Without that message, you can validate that your vote was counted, but not who it was counted for. With that message, again visible only in the booth, you may validate who it was counted towards.
This does not mitigate the problem of validating eligibility. It does mitigate the problem of accurate counting of votes cast.
> This adds new problems: if this uniquely identifies the person and their vote, your boss, union, pastor, etc. can demand that you show them you voted the way they wanted to. If it doesn't, you have the problem that it's very hard to disprove claims that a vote wasn't recorded correctly by the system or that someone ineligible was allowed to vote. Doing it cryptographically means that your system is now far more brittle and people have to trust a complex software stack which statistically nobody can audit as opposed to simple, robust paper ballots which can be understood by grade school children.
Right, you need a blinding solution such that the information required to prove direction of vote is visible only in a secret, ephemeral context (e.g. voting booth). There are complete proposals with this feature, I believe.
> How does a blockchain change this? Texans are still going to claim that people in California shouldn't have been allowed to vote for the other party — they'll change the lies they're telling from saying that people are sneaking in bags of ballots to, say, claiming that the voting machines changed votes after recording them, people who weren't supposed to be eligible were allowed to vote, etc. A blockchain won't solve any of the complaints we saw about, for example, dead people voting — that takes local authorities on the ground, all over.
The blockchain piece isn't particularly important. I think merkle-tree like cryptographic objects can be useful in validating systems like this efficiently, but they are not necessarily an essential feature.
You're right that Texans may still claim that ineligible Californians voted. A cryptographic system does not address the problem of validating eligibility, that is outside its scope. It addresses the problem of accurate, verifiable tallying. So that there are no viable stories of ballots being thrown out or otherwise miscounted.
> A massively complex system that can be validated from a single point.
...by nerds.
Which is the entire problem of any kind of digital voting. It's not enough that some people can validate it, everyone has to be able to do it. It's not ok that you need to understand computer science to be able to do it.
Agreed. The lack of trust in the 2020 election isn't because the voters have a reason not to trust it, it's because they have a need to not trust it - a psychological need. And they'll follow the flimsiest of evidence to fulfill that need.
Obfuscating the election results with a cryptographic framework that only PhDs understand (which incidentally, they trust even less than the under-educated) would be a disaster. It would provide the kooks and charlatans with more than enough fodder for all manner of conspiracies. I can just imagine them grepping the blockchain for "666" now...
> You mean as opposed to the current system that so many people understand and audit?
The current system is trivial to explain, understand, and more importantly audit. I defy you to find a simpler, more robust system that the average Joe can and does understand.
Meanwhile, it's easy to understand how a complex system involving blockchains can and will be subjected to attacks exploiting it's opacity, or even the fact that it exists only in electronic form.
Let's put it this way: attackers even try to attack the very existence and legitimacy of boxes of paper ballots that are always on display and protected by security forces.
I don't understand all the details of our voting system. Maybe you do. But how exactly our system secures itself is quite complex, and I think the evidence for that was pretty straightforwardly demonstrated in the last year.
The claims Donald Trump made about the election were false. But why, exactly, they were false is extremely difficult to explain, and honestly impossible for the average person to validate. The promise of blockchain voting is that a sufficiently motivated private individual could validate the entire election. That is presently not physically possible in our system.
Of all the complaints about blockchain voting this seems to me like one of the least valid ones. People don't have the slightest clue how traditional vote counting and recount procedures work until sometimes goes wrong and it makes the news, and at that point it's literally impossible for the average citizen to do any form of auditing whatsoever.
> People don't have the slightest clue how traditional vote counting and recount procedures work until sometimes goes wrong and it makes the news
And yet we can pull almost anyone off the street from both sides of the political aisle to participate in a non-partisan recount or audit and have it work out, which is what happens. We can't do that with blockchains.
Sure, but it's still a tiny portion of people who can be chosen to count the votes, and each one can only verify that they themselves have counted accurately.
I think there's value in the fact that voting is transparent enough that anyone can verify elections. There's also value in "John Doe from church and my cousin helped with the recount" versus "Three top 'experts' say it's fine, but I heard two of them work for Facebook!" or "We just have to trust what Palantir's consultants say."
What do you mean? I’m pretty sure a random citizen cannot just ask for millions of ballots and count all of them. When you help counting, you’re only counting a tiny portion of the ballots.
That may be true in the US today, but other countries have voting systems that are easier to understand and more transparent.
Let's take a reasonable threat model. The society is heavily fractured. Not in an inconsequential way as in the US today, but more like Europe between the world wars. Communism and fascism were mainstream, and there was a credible threat of a civil war. (Not to mention a fair number of actual civil wars.)
Consider an average voter who does not trust the election authorities or the companies providing hardware and software for the elections. Maybe they are a communist who assumes that every major tech company is on the other side and actively trying to tamper with the elections. If the elections are actually run in a (mostly) fair manner, will that person trust the results?
That happened many times in the early 20th century Europe. People who had no reason to trust the elections still believed in the legitimacy of the results, which probably prevented civil wars.
> People don't have the slightest clue how traditional vote counting and recount procedures work until sometimes goes wrong and it makes the news
Is that really the case? It seems far more common that the problem isn’t that people don’t understand how it works but is rather that they don’t like the result and pick that as an excuse.
When evaluating a proposed new system, we have to think about it outside of contexts where everyone is acting in good faith — the current system survived hundreds of challenges because it’s simple, robust, and anyone can understand how it works and that cheating would require moving millions of pieces of paper in locations around the country, which is very hard to conceal. Try to think about how a complex digital system would offer new avenues for complaint to the same well-funded attackers whose claims are not constrained by facts or reason. As we’ve already seen, even if the new part was perfectly implemented all they’d do is shift to where it interfaces with the real world (“I hit A and it changed it to B!”, “These people weren’t eligible to vote and I just know they voted for the other guy”, etc.). Since it wouldn’t be perfect, it would just afford new angles for misrepresenting things to a willing audience – as we saw with those fake “pcaps” or claims that China was connecting to the voting machine servers.
Problem isn't just in ease to audit. Biggest advantage of paper voting is that whole system require a lot of people to participate in orgnization and control over the process. It's a great way to make people really care about politics.
And for people who vote when you have to physically come to vote it's not only require effort, but also motivate their peers and family to do the same. And it's good starter of real world political discussion.
On other side if voting made low effort and truly remote and anonymous then it's will degrade people's involvment in process even more.
PS: Good podcast episode about how social networks decrease people's involvment in real world politics:
You counting some tiny subset of the votes is not an audit.
There is not a single person on earth who could audit an entire federal election on their own. There are multitude people because you need multitude people.
I could audit an election in the blockchain tomorrow.
> You counting some tiny subset of the votes is not an audit.
We, it actually is. Audits serve to verify the results from one or more constituencies. Unless you somehow believe that each and every constituency has bee tampered with, you focus your attention onto the "tiny subset" that you deemed questionable.
> There is not a single person on earth who could audit an entire federal election on their own. There are multitude people because you need multitude people.
I don't understand why you feel that's relevant. An election involves public participation, and the goal is to ensure the public that the process is fair and reliable. If enough people find that the results are not reliable in any way then they are able to verify it themselves. If however only half a dozen voters in a universe of a few hundred thousand voters disagree with the result, and the vast majority of the electorate doesn't agree with the half dozen sceptics, then where's the value in it?
I mean, this whole hypothetical scenario relies on the assumption that a party/candidate that has a sizeable support is somehow not able or interested in verifying election results, but a single isolated individual is?
> If enough people find that the results are not reliable in any way then they are able to verify it themselves
The whole point is that they can't. They need to rely on other people to verify the results. They cannot "verify it themselves".
> hypothetical scenario relies on
The hypothetical scenario relies on wanting the benefits of digital voting (of which there are many) without the major downside (of which there is one). A publicly verifiable ledger gives you the benefits of digital without the major downside, which is that generally with anything digital you can commit fraud at scale.
> I could audit an election in the blockchain tomorrow.
No, you could confirm that a set of electronic records was internally consistent. That is only a small part of an election audit: you'd also need to confirm that only eligible voters voted a single time each and that their vote was recorded the way they intended.
Needing a multitude of people is a security advantage of the current system: it means that any attempts at cheating need a ton of people, from both parties and the local government, to collude together because there's no way to automate changing thousands of paper ballots and the corresponding seals — the real world doesn't have an “UPDATE votes SET …” shortcut.
Contrast that with a blockchain system: when it's challenged, you're in one of two situations. If all you have are electronic records, you've just reinvented the Diebold scandals of the 2000s where you're trying to assess how much you can believe that a complex software system does not contain a bug or exploitable flaw because there's no solid proof. If you use voter-validated paper ballots, you do a standard hand recount — and you don't need a blockchain at all because the thing providing security is the robust well-tested paper balloting system.
Although I agree with much of the thrust of your comment, and especially that complexity is best understood as a sacrifice of trust, I don't fully understand your qualm with respect to the difficulty of this particular type of audit.
The paper ballot is like counting with an abacus: you need to actually witness the proceeding to be able to verify the accuracy of the result.
A vote on a public ledger is easy to verify, even with an extremely rudimentary understanding of the technology, and the verification can be performed at any time in posterity.
A big problem with verification is that with it one needs to prove that the vote had come from a legitimate voter and that he had not voted at most once. If the proof for legitimacy is not part of the vote it may have been just inserted by the system.
> With paper voting, anyone who can count can participate in a recount or audit.
Auditing is generally impossible with paper voting.
Not in principle, but it is incompatible in principle with anonymous ballots. When an explicit goal of the system is that it's impossible to answer the question "where did this come from?", an audit is dead before it starts.
What would you think of an "audit" of a company that concluded, in full, "they have $15,000,000 of assets"?
Anonymous ballots by their nature cannot be distinguished from fraudulent ballots. You can't verify that a particular ballot was ever cast, only that you have it now. You also can't verify that a ballot that was genuinely cast was cast by the same person listed on the voter roll.
> Electoral roll exist, counting of people voted vs total number of ballots per area is possible, etc.
Lyndon Johnson probably committed election fraud. There was no problem with the number of ballots. There was no problem with the electoral rolls. Vote counting is of course not an instantaneous process. It did happen that some votes for Johnson were discovered late. And it's interesting to note that the voters who cast them voted in alphabetical order. But that could be a coincidence.
What if they'd voted in a different order, by a less lopsided margin? How would you audit the ballots?
> Exit polls also exist.
Considering the most recent news about exit polls is "they're diverging from the actual results and we aren't sure why", this isn't a very strong point.
> You can't verify that a particular ballot was ever cast, only that you have it now. You also can't verify that a ballot that was genuinely cast was cast by the same person listed on the voter roll.
There’s only one part of this which isn’t wrong. You can verify that the ballots were given to registered voters at a particular polling station where they were sealed, transported securely, and tallied without the seals being broken – these days, all with video surveillance except for the actual person filling out the ballot. The current system does that with a mix of bipartisan volunteers and government workers, making it hard to tamper with unless you have a truly massive conspiracy which manages to avoid revealing any trace of its existence.
The only thing you can’t do is say that person A voted for candidate B, because that would guarantee attempts at coercion.
> You can verify that the ballots were given to registered voters at a particular polling station where they were sealed, transported securely, and tallied without the seals being broken – these days, all with video surveillance except for the actual person filling out the ballot.
This is not even a requirement of a legitimate ballot. How are you supposed to "verify" something that isn't true?
What part do you not think is true? What I described is the common situation in the United States where you have observers confirming that people are checked against the voter registration lists, the ballots are collected in sealed boxes, transported securely, etc. At every stage they verify seals so they can confirm that while they don't know _how_ you voted there's no serious question that the ballot being tallied is the one you dropped in the box at your polling station.
This is one of the major reasons why all of those election lawsuits failed: an alleged tampering scheme would need hundreds of people altering many thousands of records, and it would need to involve members of both parties and city employees without leaking any trace of its existence. One very nice property of physical seals and paper ballots is that you can't alter them without doing a lot of manual work which would obviously be different from normal activities. The conspiracy theorists tried but they couldn't come up with a remotely plausible way that people could have been shifting truck-loads of ballots around in perfect secrecy.
A ballot need not be given to a voter at a polling station. There is no such requirement, and in fact this is not true of many ballots. They can be received elsewhere and filled out elsewhere.
I will be the odd one out, but I am not sold on the idea of blockchain. Unless something has changed radically, blockchain depends on trusting the entities that host the ledgers. Creating shell organizations that appear to be separate entities is one of the oldest cons. For me blockchain adds nothing but complexity and greater risk of obfuscation and deception.
For me a better system would be something closer to the certificate transparency system. There should be a way I can match something I know + something I hold to a cryptographic log entry that is publicly available but not reversable to my identity. If I dispute my vote record, I can challenge it using my secret information and quickly expose that my votes were tampered with.
All of that said, our current systems are possibly the worst convoluted highly-hackable-by-design systems. Engineers have testified before congress that they were told to make them weak intentionally. This just leads to engineers being silenced. Pen-testers get in trouble for exposing these systems being intentionally weak. It feels like this is the desired end-state as it just keeps happening.
> If I dispute my vote record, I can challenge it using my secret information and quickly expose that my votes were tampered with.
How can a legitimate challenge be distinguished from one by malicious actors who want to nullify the election even though their votes were counted correctly?
Because this isn't a count. This is a signature that can be verified with my data as my entry along with a series of hex codes that represent each voting item and selection. A tiny python script could be used in conjunction with the key material to quickly see if the public record has parity. Any citizen can verify their data. If even one record has been tampered with, an audit is invoked.
This is a great point. Often this issue is not raised due to necessity of coercion resistance which prevents voters to prove how they voted.
In absence of such requirement voters may as well be able to issue a message which invalidates the vote and can be collected by a third party. Then the invalid votes tallied collectively could be used as legitimate reason for nullifying election result.
Were we willing to give up the secret ballot we could vote online trivially with any device with the benefit of a hardware token to prove your identity. We could then publish the results of everyone's vote with the help of a plain Jane web server and database and verify the integrity of the election by polling a random sample of people to ensure their published vote matched their vote while allowing anyone who wants to change their vote prior to certification to do so.
Results at certification would be in exact accord with the people's votes it would also be massively corrupted by undue influence of ones neighbors, family, employers, spiritual leaders, anyone with the money to buy votes, and so forth.
I do not understand how we could maintain a secret ballot and rely on a public registry of votes even if turning public vote into actual results required a secret. I also don't understand how the public could be sure that such results weren't silently corrupted even if it could in theory work.
All "blockchain voting" ideas miss the real threat model: Who issues the ballots, and how can you possibly know that Sybil has not been issued many?
No blockchain is going to solve this. Not ETH, and not Altman's Eye scanning surveillance coin.
At best a blockchain voting system can be used to audit that your own vote has not been tampered with, but you cannot possibly know who every other voter is to assert that Sybil has not voted more than once.
One of the most common faulty belief in voting system proposals including those considered in the article is that it is that it is fine to trust elite that the system is working as specified. This assumption goes long before any cryptography were considered and is just more elaborate version of Edison's voting machine.
Newer designs have recognized the need to prevent authority to know who voted for what. However in doing so they do obstruct the evidence that a legitimate voter had voted at most once. Often the evidence includes either to trust the system or officials with confidential access who can audit the system which can be meaningful if the system is software independent. However then we are left with problem that auditors may collude... In the end the system is very expensive to maintain and ironically state elections have been more expensive than voting with a paper ballot schemes.
The net result is that elections electronic voting systems are equivalent to a single ballot box which is supervised by a small elite. The electronic part just have made it possible. In this absurd reality we may as well substitute elections with taking surveys.
> A blockchain is also a k-of-n trust model; it requires at least half of miners or proof of stake validators to be following the protocol, and if that assumption fails that often results in a "51% attack". So why is a blockchain better than a special purpose bulletin board? The answer is: setting up a k-of-n system that's actually trusted is hard, and blockchains are the only system that has already solved it, and at scale. Suppose that some government announced that it was making a voting system, and provided a list of 15 local organizations and universities that would be running a special-purpose bulletin board. How would you, as an outside observer, know that the government didn't just choose those 15 organizations from a list of 1000 based on their willingness to secretly collude with an intelligence agency?
just admitting you have the same problem then trying to brush past it doesn't work. why on earth would intelligence agencies allow anyone but groups they can influence or outright control to be miners and why should anyone trust that this isn't the state of the system?
you're solving the wrong problem. you can't technology your way out of political problems: those still need to be hashed out between people.
“My answer is simple: voting would become much more efficient, allowing us to do it much more often.”
This here is (I think) the key to fixing democracy. If the citizens can vote on not just the leaders, but every long-term decision faced by the country, then we’d see people become far more invested, and much less likely to divide on party lines that are essentially grey areas anyway.
Maybe, but remember we’re not talking about making people show up.
What I’m imagining is a bit of a utopia, but:
- Voting from a personal device that every citizen can use problem-free, no matter where they are
- Clear language about what the choices are, and what will be affected
- Open and available clear-language information for people who choose to dig deeper
- Ways to discuss the pros and cons without being subject to scrutiny or chilling effects
Yes people could still get fatigued. But I suspect much less so than they are by a vote that happens every 4 years and does not let them participate in the stuff that moves fast.
> Voting from a personal device that every citizen can use problem-free, no matter where they are
Which means there would be no protections against vote coercion or vote buying.
> But I suspect much less so than they are by a vote that happens every 4 years and does not let them participate in the stuff that moves fast.
The problem is that there's so much of politics that moves fast, but is also incredibly boring and irrelevant for the vast majority. The whole point of representative democracy is that we elect representatives that have the same values as we do, and then we let them deal with all the boring crap so that we don't have to.
The mistake you're making is assuming that everyone would be equally interested in every single issue that came up for a public vote, and that is just simply not the case. Just look at California that often have referendums on the ballot, and what an incredible shit-show those usually are.
“Which means there would be no protections against vote coercion or vote buying.”
Yes, definite potential issues here. Again: I’m imagining a utopia (where there is no corruption of individual voters)
“... incredibly boring and irrelevant for the vast majority”
It’s clear that an overwhelming percentage of politics is intentionally uninteresting to the public. Parties battling through intentional bureaucratic stalling, thousands of hours put in to adding loopholes that are designed to be exploited for personal gain, reams and reams of information designed to hide a simple “I don’t know”, and so-on.
If we truly were in a utopia, the choices left would be straightforward, manageable, and in less volume over time.
“The mistake you're making is assuming that everyone would be equally interested in every single issue that came up for a public vote, and that is just simply not the case.”
Kind of. Even if 70% vote in each issue, and it’s a different 70% each time, that’s a huge upgrade.
“The mistake you're making is assuming that everyone would be equally interested in every single issue that came up for a public vote”
I disagree with your take on it. It’s just as valid to say that the mistake you are making is assuming that people would be more jaded and hopeless than they are now.
I started reading the article with a pitchfork in my hand ready to shout "BUT THE 51% ATTACK", only to be very slowly disarmed by a very reasonable argument.
That being said, I still share the sentiment of some of the commenters here, whereas the complexity of the operation has the potential to derail the whole democratic process.
Even with paper ballots, the U.S.A already has almost half of its voters going into frenzies about how the "process" cannot be trusted. That is, the process of reading check-marks on a paper and tallying the ballots, which is almost primitive compared to the protocols the article is suggesting.
If we were to use a complex suite of protocols, we could easily have another "vaccine" situation, where again almost half of the U.S.A. don't want to get the vaccine because it's "too complex to know if it's safe" (despite the basic building blocks of it being understood and having almost universal use).
I do wish I could vote from my phone, or from my computer though. That would be awesome.
112 comments
[ 0.29 ms ] story [ 177 ms ] threadThe informed might now become fully aware of all the limitations and problems with it which might cause them to swing too far the other way, in contrast to their previous optimism.
At the same time, however, being aware of these limitations hasn't become mainstream, so the uninformed have to go off of other information - marketing materials and hand wavy explanations of how blockchain will eventually be good for a large variety of problems.
The truth probably lies somewhere in the middle, as it has with most technologies.
In the 1789 French revolution, they did try having votes to try to get more and more government officials elected after the overthrow of the ancien regime, but the votes were so frequent that people stopped showing up and the elections became barely legitimate.
Other than that, software elections are prime for tampering, and even if they are determined to be secure by experts, suddenly the mechanisms of democracy are opaque to the masses and become untrustworthy. Making votes less understandable de-legitimizes them.
Lastly, the reason for the ossification of American democracy is due to the fundamental oligarchical design of the 1787 constitution that explicitly saw mass politics as mob rule and feared it. They designed the branches of government as a series of baffles to counter popular sway over policy making, hence a Presidency that requires a vote so large they are responsible to no one in particular (though originally they were elected indirectly by electors), a Senate that was indirectly elected and designed to void popular proposals coming from the house, and a supreme court with lifetime terms that are totally unelected. As an aside, their theory of the separation of powers was that the elites would be mostly in agreement on fundamental issues and fight over control of the branches of government. They were in large part wrong, factions of opposing interests developed and managed to capture the entire government in cycles (so we are living in an edge failure case of the original design).
This system, plus the domination of the economy by wealthy interests, first the slave owning planter class and later the capitalist corporate class, prevents and subverts popular democracy at every turn except where the public's preferences coincide with the real rulers.
Voting is simply a preference expressed to the rulers. It doesn't in any way carry a mechanism for enforcement and enactment and is highly susceptible to all kinds of manipulation, especially when voters are individualized and do not deliberate in organizations and vote in blocks.
If you want your voice heard, take to the streets and/or join an independent party that include non-electoral tactics such as strikes.
The reason to believe it can't happen is that it hasn't. like factoring large numbers.
I will say, it's a bit funny that Buterin's thesis is "voting would become much more efficient, allowing us to do it much more often." This is just printed as apriori true (and good -- at least in a societal sense), but our democracy (at least in the States) is representative. In my heart of hearts, I'd love to believe that a direct democracy is the "best" form of government -- tangentially, this is the argument of most DAOs. Unfortunately, I just don't think this is true. Most people are dumb, easily manipulated (not coerced, as Buterin belabors). Dumb people voting all the time is a recipe for disaster.
W. E. B. Du Bois makes a great case for this in his The Talented Tenth[1].
[1] https://en.wikipedia.org/wiki/The_Talented_Tenth
I don't think he's arguing that voting for a presidential election should be done all the time, but you can use this mechanism for voting on things that would be unfeasible to vote on with paper ballots. Local issues that can be voted by the whole citizenry instead of just a city council. Instead of voting for people that can make decisions for you, you can make those decisions yourself alongside all others who are interested. It seems like a pretty democratic idea to me.
The issue is that the results of major elections have truly massive economic consequences.
A president of the US has a powerful say over trillions of dollars in funding.
Meanwhile, total mining revenue for something like Bitcoin is "only" $18 billion per year.
The way I'm thinking this can work is having an organization (the tallier) that creates ledgers for a particular vote (ie, a specific question being asked: Should our city allow construction on Lot A1?)
The "voter" can submit a request to participate in this vote in an "enrollment" step. The success of this process leaves the voter with a public/private key that is known to the "tallier" (the public part) and allowed to vote but is not a direct way of identifying the "voter".
In the voting period, the above key can be used by the voter to cast a ballot (a yes or a no in the example), the payload of the vote can not be decrypted unless you are the tallier, from the outside you can only see that a particular key has cast a ballot.
The tallier can see that one of the enrolled keys has cast the ballot, it decrypts the vote and adds it to the tally.
Once the voting ends, the tally is finalized and the ledger is closed and archived.
Why does this require blockchain ledgers, you might ask. Because the information in the ledgers, the voting one and the enrollment one need to be public and at the same time tamper proof. If there's another technology that can offer that, maybe it should also be a candidate, but personally I haven't researched enough to know of one. :)
I grant you that the topic of how a voter is allowed to vote is not discussed properly in the article, but I don't see that the assumption is made off hand that you need to own BTC or ETH to do so.
My own interpretation of this is that such a voting ledger would be free to participate in and interacting with and, it would be regulated by some mechanism of enrollment based on electronic identification.
Someone else said that a git repository can be used for a subset of this mechanism also, and I agree mostly agree.
So probably a crypto ledger is not the only way to implement a transparent method of electronic voting, but it has a lot of the properties that are required for it.
Transparency is also problematic for voting records since votes need to be private to prevent coercion. The fact that I don't know how you voted is a security feature that prevents me from threatening you to vote a certain way.
And once you've watered down blockchain to mean 'git' then its lost most of its meaning. And why do you need a merkle tree in that case? Why does your data need to branch? Why do you need diffs? Why do you need anything more than a table full of votes?
You could do some kind of cyrptographic signing of votes so that it established a cert chain for a given vote, but hid the identity other than perhaps zip code, so then it was auditable that the CA had signed a given number of certs from a zipcode and that a given number of votes had been received from each zipcode so that it was auditable that way, while producing public voting results at a geographical granularity (zipcodes with very small numbers of people might still be a problem). But none of that requires what we consider to be blockchain crypto in this day. You don't even need git, you just need a PKI and some old school 90s era cryptography and a database.
Votes need be private only in as much as who is the voter, I replied in post #28976010 with how this would be handled, but the basics would be that there's not a direct way of linking a voter with their public vote.
The merkle tree is needed for the same reason as in git, to have a well defined relationship between votes. Branching is for having multiple vote items in the same ledger. Diffs are for auditing.
I'm not saying that a blockchain ledger is the definite technology for storing this kind of information, but to me it looks like it has a lot more desired properties than a database.
In the end you need blockchain technology to have a chance to sell this to people. If you bundle a certificate authority and a postgres database with a crud interface nobody will be excited by it.
The first iteration of this type of software needs not be perfect, it needs not be used for electing the president of the Universe, it is fine if a company uses it for selecting the color of wallpaper for the break room. We need to start doing things in this direction, because the world is getting bigger and the populations grow bigger and paper ballots won't scale forever, and most importantly it could lower the effort for participating in elections to the level that politics can be reimagined into something that resembles a democracy better.
[edit: sorry for the pathetic last part, but I feel pretty strongly about this]
If the model of an electronic vote relies on individual keys having cast votes (following something like a vote enrollment), the attacker will have to spoof all those keys for the result to look authentic and at the same time be malicious.
Depending on how those "keys" have been generated in the enrollment, this could be difficult to scale. The most basic premise would be that the "tallier" and the voter create this key together, and once committed to the ledger can't be tampered with by any of them. A vote must be signed with this key. The voter can override their vote at any time while the election runs. (This is something that I'm paraphrasing from the article actually)
This does not scale as it requires a malicious actor to hijack enrollment and voting for a large number of voters. If enrollment is being done based on a physical device (eg, electronic ID card) it's even less so.
I will never trust voting machines that do not print and store a paper ballot. But it's practically impossible to change or remove votes with a machine that does store them.
Once the votes are recorded (on paper), you only need to do two things:
You can also spot-audit or fully audit the results to ensure that the tallies for individual candidates match between paper and electronic tallies.> But voting also requires some crucial properties that blockchains do not provide:
> Privacy: you should not be able to tell which candidate some specific voted for, or even if they voted at all
While the content of the ballot is sacred, the act of participating in the election cannot be.
The pollbook is a database, with all of the security and maintenance hassle a database implies.
As an election officer and ballot Luddite, I also think that elections argue for lower tech in the case of the ballots.
Tech is swell (reponding on a a Galaxy Note 10+ here) but tangible ballots seem a hedge against shenanigans that no multi-page mathematical proof of block-chainy grooviness can penetrate.
Here are some simple questions:
1. What are you trying to protect in a vote?
2. Why can't an SQL database with whatever levels of cryptographic assurance you'd like to add do the job?
3. What does a blockchain add to (2) that no other technology does, regardless of cost?
These questions are never answered, and indeed they are not answered here either. Instead, these articles lead with technology and rarely get around to what matters.
Often there's something like this included in the article:
> Blockchains are a technology which is all about providing guarantees about process integrity. If a process is run on a blockchain, the process is guaranteed to run according to some pre-agreed code and provide the correct output. No one can prevent the execution, no one can tamper with the execution, and no one can censor and block any users' inputs from being processed.
No. A block chain is a timestamping mechanism. Within certain very narrow boundaries, it makes certain guarantees about the relative ordering of events. A tamper-resistant log file? Yes. A solution to voting? Does that involve relative event ordering? If so, is that the central problem?
Electronic cash systems like Bitcoin will work work just fine without a blockchain, provided they can solve the double spending problem. Bitcoin solved it with a system for ordering transactions based on proof-of-work. There are other solutions, but all suffer from censorship pressures in ways that Bitcoin does not.
Not defending blockchain, but this seems like an absurdly high standard. To me, the cost of a technology is definitely one factor in evaluating what is better or worse for solving a given problem.
In particular, in this case the question I'd be asking is “how is this better than PKI?” because that can do the job with multiple orders of magnitude less overhead and would be suitable for use in scenarios with limited bandwidth or which are completely offline, which is realistic for voting.
Why do you want to use a public blockchain? Well, they try to explain that.... try.
"So why is a blockchain better than a special purpose bulletin board? The answer is: setting up a k-of-n system that's actually trusted is hard, and blockchains are the only system that has already solved it, and at scale. Suppose that some government announced that it was making a voting system, and provided a list of 15 local organizations and universities that would be running a special-purpose bulletin board. How would you, as an outside observer, know that the government didn't just choose those 15 organizations from a list of 1000 based on their willingness to secretly collude with an intelligence agency?
Public blockchains, on the other hand, have permissionless economic consensus mechanisms (proof of work or proof of stake) that anyone can participate in, and they have an existing diverse and highly incentivized infrastructure of block explorers, exchanges and other watching nodes to constantly verify in real time that nothing bad is going on."
"anyone can participate in" is absolutely hilarious in this context. It's true, in the sense that pretty much anybody can buy a few kilograms of gold- if they have the money. Proof of stake is the most obvious here, because it's literally "the more money you have the more power you have"- there's SOME argument that this makes sense when the decisions made by stakers directly relate to the value of Ether, the idea being "rich person won't try to manipulate consensus, because that would make them much less rich" (especially if they actually get slashed). i.e. they have a stake in keeping consensus fair. But doing real-world elections breaks this entirely. Proof of work functions similarly, just indirectly, and also while spewing CO2 into the air and sucking down semiconductor manufacturing capability.
Now, a common answer is "well, yes, but we could detect that manipulation happened after the fact, and then re-hold the election or whatever, possibly slashing malicious validators if we can somehow encode that into the protocol at a lower layer". Congratulations, you've figured out why blockchains are useless here. The actual security comes from being able to detect fraud- and a single Merkle root published by the government per election (and signed, so any forks could be immediately detected and proven bad).
In other words, you want Certificate Transparency, not Ethereum. CT solves exactly the problem Ethereum tries to solve here, and does it much better, and without the obvious conflict of interest cryptocurrency voting advocates have (that if a government did use, say, Ethereum for elections, it'd drive the price way up, so anybody advocating that who also holds Ether has a bit of a credibility problem right out of the gate!)
And this is all predicated on cryptographic voting being a good idea in the first place - in the short term, it's just not. You can verify the protocol, but you can't verify the endpoint- are people going to vote on their own devices? Just wait til the first claims (justified or not) that a major botnet flipped votes undetectably (and coercion-resistance guarantees that it really can be done undetectably). Or maybe on voting machines like we have today? Take a look at what happened to Dominion last cycle- so much for making elections more trustworthy.
Paper is actually incredibly useful here, because it doesn't run code and everybody knows it. (You could say "oh this CPU has all its code in mask ROM and the code is formally verified" and maybe I c...
You choose to trust the humans more, which is fine, but applications (or why not) devices with a well defined audit trail that they're doing what they're supposed to do are equally trust worthy (at least for me).
> 3. What does a blockchain add to (2) that no other technology does, regardless of cost?
I'll preface this by saying that I'm not a blockchain expert, but from the comfort of my own armchair I consider that the main benefit over a regular SQL database is the fact that you don't need to make it secret and protect it.
There might be other methods for storing a well-ordered list of events in a difficult to tamper with but at the same time public repository, but I don't know of any.
What are you needing to make secret or protect?
> There might be other methods for storing a well-ordered list of events in a difficult to tamper with but at the same time public repository, but I don't know of any.
Look at all the repositories up on github that are doing exactly this. I don't know why you would need to store voting results as well-ordered, but if you wanted to it's easily possible.
It's like confating good statistical methods with marginal use cases for the techniques.
You could convince a person who doesn't know how to read that paper ballots are a working system (vote box is empty; votes go into box; box is emptied and all votes tallied). Only a small fraction of society could be convinced of the correctness of the tallying scheme in Fig. 2.
You could argue that there are a lot of facets of modern society that the average citizen doesn't understand the details of, but voting is the cornerstone of democracy. Public trust in the voting system is crucial. The only way to reliably achieve that is through an understandable system, and so far the only understandable voting system I've seen is paper ballots.
That's a great point, and quite understated. However, perhaps the key factor is not complexity itself, but being able to be trustworthy and transparent enough to ensure that the whole process is unquestionably fair.
If anything, recent events demonstrate that, even if elections are free and fair, electoral systems can and will be attacked with the goal of casting doubt on the outcome to try to subvert its results. Any part of an electoral system that relies on non-trivial processes that are not easy to explain, understand, or verify is a part of the process whose credibility can and will be attacked.
But all of that, every single crazy piece of it, is completely irrelevant, because at the end of the day there exists a collection of paper ballots that represent how people voted in the election. Anyone can count and recount those ballots to their hearts content, and doing so is incredibly simple. You just divide the ballots into piles according to what their vote is for, and then you count the size of the piles.
Anyone can do that. Children can do that. Senior citizens can do that. No technology required, no technological understanding is required, and no technological bullshittery can cast uncertainty on the result, as the Arizona fraudit hilariously discovered when they divided the paper ballots into piles and counted them and got the same result as before.
The way to solve the problem of untrustworthy technology is not to have some geniuses come up with a bulletproof crypto-secure blockchain buzzword voting scheme that us mere nerds can understand after having it explained to us. The solution is to remove technology completely from the equation, and paper ballots and envelopes and urns are the way to do that.
Seems a little less outlandish than the idea that there was some vast conspiracy involving Trump and Putin to hack the previous election, but I guess that's not a high bar.
i fill out my slip and i run it through the red machine, the blue machine and the county machine. they all display a hash/sum of the total counts thus far, i verify each machine has the same thing on its display, i put my paper into the lockbox at the end and done. then when the election is over, the counts agree or they don't, and if they don't there's a big public rescanning.
of course the big threat is coercion. if one of the parties put a camera on their machine that sees me put my slip in, or they're counting ballot sequences, they can match my vote to my identity... but... since each party has representatives present to watch over their machines, they also can also check the machines of each other for those sorts of things. (ops and election watching become one and the same)
it would just be cheap document cameras and socs with open source software. totally doable, i think. you could even have like, different hardware architectures for each group if you wanted to protect against nationstate level hardware attacks.
also, i'm sure there are things in that rich literature of voting crypto that could also help with obscuring voter identity... but hey, this would be a good start.
it's not blockchain, but it takes one of the biggest ideas from cryptocurrency, i think. (double/triple entry accounting)
although, of course, there is no technical fix for someone who trolls the process if they don't get what they want. i do think there's value in making it feel a lot more like there's less blind trust in times of contentious elections though. maybe it would just be theater and not really achieve much more than what we have today in terms of real security, but if by showing realtime hashes of the counts that agree as a voter scans their votes in each machine, especially if one of those machines is operated by people they trust, increases trust in the process, then it seems a great net win.
As noted elsewhere, election fraud with paper doesn’t scale well. With software, it might (depending on implementation).
I see a lot of potencial, but so far only real use I see is crypto being good financial system replacement for people living in failed state / authoritarian regimes. It's enough to justify it's existence, but who suppose to want web3-powered tech in countries with working law? And why?
1. What's the barrier to using your app? Past experience suggests that large numbers of people will drop off as difficulty ramps up unless you're either giving away money or gate-keeping something people have to use (e.g. your insurance company's signup process can be terrible up to the point that you switch).
2. Who handles impersonation? (e.g. how do you keep someone from making the news by registering “donaldjtrump” and posting something?)
3. Who handles user error or compromise? e.g. if my phone or laptop is stolen, how screwed am I?
2. Impersonation depends on the application in question. It is a subject with a lot of attention, and I've seen varying proposed solutions for "proof of uniqueness". This is a good jumping off point imo: https://www.microsoft.com/en-us/security/business/identity-a...
3. This is where things diverge sharply from "web2". There is no "forgot password" or support infrastructure that can come to the rescue. At this current moment you are screwed. But there are some promising ideas that could address this - look into "social recovery".
Should an election be called into question, suddenly the public must rely on only a handful of oracles that can interpret the votes and assure everyone that everything is fine because of "crypto" and "blockchains".
With paper voting, anyone who can count can participate in a recount or audit. In comparison, there are multitudes more experts who can audit an election via paper votes.
> Over the long term, insisting on paper permanently would be a huge handicap to our ability to make voting better. One vote per N years is a 250-year-old form of democracy, and we can have much better democracy if voting were much more convenient and simpler, so that we could do it much more often.
I'm not willing to sacrifice trust and the easy ability to verify elections, or hand control of democracy over to technologists, just so we can vote via apps on our phones.
What!? There are 40 M developers worldwide. If you're developer, you can definitely learn how to read a public database. Faking results on a public database is IMPOSSIBLE.
You mean as opposed to the current system that so many people understand and audit?
Yes, we already have a trust problem with one of the simplest methods of voting, and the implication is that mathematical obfuscation via cryptography and blockchains can make the trust problem even worse.
And how did all that work out for public trust in elections?
The problem here is that, even if you personally can go validate your local election, anyone can just claim the fraud was somewhere else. A cryptographic voting system allows any citizen to validate the entire election. The value of this is very significant. Right now a right wing website can just claim say, the CA elections were riddled with fraud. The only way to even approach "disproving" that is to request data from the city/state officials...who those people do not trust in the first place. A publicly auditable voting system would short circuit all of those issues.
It doesn't need to be interpretable to every single person. What it does need to have is no specific plausible fraud narrative. Right now Trump et al can simply claim ballot stuffing, or any number of other kinds of fraud. Disproving that requires access to records that most people cannot obtain, and so the narrative can retain credibility for those disposed to believing it.
It's true that most people will not understand the cryptography underlying an auditable voting system, but they don't need to. In order for someone to implant a fraud narrative, they will need to come up with an explanation for how the fraud occurred. Once they do that, it will be relatively straightforward to debunk those narratives in a clear way, that, critically, does not rely on faith in trusted third parties.
Really? Think about what we saw when the Republicans tried to claim the 2020 election was rigged and ask how a massively complex distributed system would change that.
When someone argues that fake or dead people voted, the blockchain doesn’t help – you can show transactions but that doesn’t and cannot show that they were made by people who were eligible voters, and privacy makes it important that this never change. This is the same reason why blockchain systems like supply chain management fail: if you trust a third-party, you don’t need a blockchain. If you don’t, layering overhead on top won’t change that.
Similarly, I really don’t see how the argument that people don’t need to understand cryptography to trust the system. You’re talking a massive, complex software system run in thousands of locations and, as we’ve seen, absence of evidence will simply be cited as proof that people covered their tracks well. Look at how many people believed conspiracies based on the hex gibberish or Windows security settings which various Trump acolytes were pushing — they had no trouble coming up with explanations which many people believe long after the subsequent debunkings.
The underlying problem is that a blockchain system still depends on trusted third parties. You need to verify that someone is eligible to vote and that their vote was accurately recorded. Think about all of the claims over the years about machines recording votes for a different candidate than the user selected, moving buttons right before someone clicked, etc. – there’s no way to solve that by adding more software. Did a bunch of people get bused in to vote for someone else? A blockchain cannot solve that – you need a trusted third party, and calling them an oracle doesn’t mean that’s not what they are.
What does work is the current system: the fact that bipartisan witnesses watched people being checked against voter rolls, paper being counted, and recounted, etc. meant that most people accepted the results. It’s not perfect but it works well and the fact that it’s distributed means that flaws or cheating don’t scale the way a digital system would.
The danger we face now is from ideologues perjuring themselves, and a blockchain won’t change that because the problem is that they don’t want to accept the results and are actively trying to subvert the system. A blockchain won’t help with the new rules being put into place to allow political interference or suppress voters, but it will distract from the things which might.
A massively complex system that can be validated from a single point. That is the key component.
> When someone argues that fake or dead people voted, the blockchain doesn’t help – you can show transactions but that doesn’t and cannot show that they were made by people who were eligible voters, and privacy makes it important that this never change. This is the same reason why blockchain systems like supply chain management fail: if you trust a third-party, you don’t need a blockchain. If you don’t, layering overhead on top won’t change that.
Sure, the fact that it does not solve every problem does not mean it isn't a viable improvement. It solves a large class of trust problems in elections, and is orthogonal to the remaining ones.
> The underlying problem is that a blockchain system still depends on trusted third parties. You need to verify that someone is eligible to vote and that their vote was accurately recorded. Think about all of the claims over the years about machines recording votes for a different candidate than the user selected, moving buttons right before someone clicked, etc. – there’s no way to solve that by adding more software. Did a bunch of people get bused in to vote for someone else? A blockchain cannot solve that – you need a trusted third party, and calling them an oracle doesn’t mean that’s not what they are.
This is not necessarily the case. Cryptographic tokens can be issued to eligible voters. Yes, you still need to trust that the issuing authority is legitimate. But that is much easier to validate. Anyone who feels they are eligible but didn't receive one can say so. Anyone who did receive one can validate that their vote was counted.
> What does work is the current system: the fact that bipartisan witnesses watched people being checked against voter rolls, paper being counted, and recounted, etc. meant that most people accepted the results. It’s not perfect but it works well and the fact that it’s distributed means that flaws or cheating don’t scale the way a digital system would.
Right, but that relies on people in Texas trusting people in California - an inherently unstable system. Allowing the entire thing to be validated from the center is a massive improvement.
Can you explain which problems you believe this solves, in detail? It's categorically untrue to say that it can be validated from a single point and I think that's the key gap in these solutions: voting involves people and that happens outside of what a software system can see. You can deploy a VC's dream of ineffective technologies and you'd have made no progress on the core question of whether the votes you tallied were cast by legitimate voters and recorded as they intended.
> This is not necessarily the case. Cryptographic tokens can be issued to eligible voters. Yes, you still need to trust that the issuing authority is legitimate. But that is much easier to validate. Anyone who feels they are eligible but didn't receive one can say so. Anyone who did receive one can validate that their vote was counted.
This adds new problems: if this uniquely identifies the person and their vote, your boss, union, pastor, etc. can demand that you show them you voted the way they wanted to. If it doesn't, you have the problem that it's very hard to disprove claims that a vote wasn't recorded correctly by the system or that someone ineligible was allowed to vote. Doing it cryptographically means that your system is now far more brittle and people have to trust a complex software stack which statistically nobody can audit as opposed to simple, robust paper ballots which can be understood by grade school children.
> Right, but that relies on people in Texas trusting people in California - an inherently unstable system. Allowing the entire thing to be validated from the center is a massive improvement.
How does a blockchain change this? Texans are still going to claim that people in California shouldn't have been allowed to vote for the other party — they'll change the lies they're telling from saying that people are sneaking in bags of ballots to, say, claiming that the voting machines changed votes after recording them, people who weren't supposed to be eligible were allowed to vote, etc. A blockchain won't solve any of the complaints we saw about, for example, dead people voting — that takes local authorities on the ground, all over.
I mean a system in which each eligible citizen receives a cryptographic token. They use that cryptographic token to vote. At the end of the tallying process, the government publishes a cryptographic object, that allows every individual to compare their token to it and validate that the vote of their token was counted, and counted correctly.
This can be accomplished without facilitating vote buying by displaying a message to the voter at the time they input their vote, inside the voting booth. Without that message, you can validate that your vote was counted, but not who it was counted for. With that message, again visible only in the booth, you may validate who it was counted towards.
This does not mitigate the problem of validating eligibility. It does mitigate the problem of accurate counting of votes cast.
> This adds new problems: if this uniquely identifies the person and their vote, your boss, union, pastor, etc. can demand that you show them you voted the way they wanted to. If it doesn't, you have the problem that it's very hard to disprove claims that a vote wasn't recorded correctly by the system or that someone ineligible was allowed to vote. Doing it cryptographically means that your system is now far more brittle and people have to trust a complex software stack which statistically nobody can audit as opposed to simple, robust paper ballots which can be understood by grade school children.
Right, you need a blinding solution such that the information required to prove direction of vote is visible only in a secret, ephemeral context (e.g. voting booth). There are complete proposals with this feature, I believe.
> How does a blockchain change this? Texans are still going to claim that people in California shouldn't have been allowed to vote for the other party — they'll change the lies they're telling from saying that people are sneaking in bags of ballots to, say, claiming that the voting machines changed votes after recording them, people who weren't supposed to be eligible were allowed to vote, etc. A blockchain won't solve any of the complaints we saw about, for example, dead people voting — that takes local authorities on the ground, all over.
The blockchain piece isn't particularly important. I think merkle-tree like cryptographic objects can be useful in validating systems like this efficiently, but they are not necessarily an essential feature.
You're right that Texans may still claim that ineligible Californians voted. A cryptographic system does not address the problem of validating eligibility, that is outside its scope. It addresses the problem of accurate, verifiable tallying. So that there are no viable stories of ballots being thrown out or otherwise miscounted.
...by nerds.
Which is the entire problem of any kind of digital voting. It's not enough that some people can validate it, everyone has to be able to do it. It's not ok that you need to understand computer science to be able to do it.
Obfuscating the election results with a cryptographic framework that only PhDs understand (which incidentally, they trust even less than the under-educated) would be a disaster. It would provide the kooks and charlatans with more than enough fodder for all manner of conspiracies. I can just imagine them grepping the blockchain for "666" now...
The current system is trivial to explain, understand, and more importantly audit. I defy you to find a simpler, more robust system that the average Joe can and does understand.
Meanwhile, it's easy to understand how a complex system involving blockchains can and will be subjected to attacks exploiting it's opacity, or even the fact that it exists only in electronic form.
Let's put it this way: attackers even try to attack the very existence and legitimacy of boxes of paper ballots that are always on display and protected by security forces.
The claims Donald Trump made about the election were false. But why, exactly, they were false is extremely difficult to explain, and honestly impossible for the average person to validate. The promise of blockchain voting is that a sufficiently motivated private individual could validate the entire election. That is presently not physically possible in our system.
And yet we can pull almost anyone off the street from both sides of the political aisle to participate in a non-partisan recount or audit and have it work out, which is what happens. We can't do that with blockchains.
The counting process is open to any interested party, and more importantly the ballots are made available to any group interested in auditing them.
> and each one can only verify that they themselves have counted accurately.
What part do you believe might be missing?
Let's take a reasonable threat model. The society is heavily fractured. Not in an inconsequential way as in the US today, but more like Europe between the world wars. Communism and fascism were mainstream, and there was a credible threat of a civil war. (Not to mention a fair number of actual civil wars.)
Consider an average voter who does not trust the election authorities or the companies providing hardware and software for the elections. Maybe they are a communist who assumes that every major tech company is on the other side and actively trying to tamper with the elections. If the elections are actually run in a (mostly) fair manner, will that person trust the results?
That happened many times in the early 20th century Europe. People who had no reason to trust the elections still believed in the legitimacy of the results, which probably prevented civil wars.
Is that really the case? It seems far more common that the problem isn’t that people don’t understand how it works but is rather that they don’t like the result and pick that as an excuse.
When evaluating a proposed new system, we have to think about it outside of contexts where everyone is acting in good faith — the current system survived hundreds of challenges because it’s simple, robust, and anyone can understand how it works and that cheating would require moving millions of pieces of paper in locations around the country, which is very hard to conceal. Try to think about how a complex digital system would offer new avenues for complaint to the same well-funded attackers whose claims are not constrained by facts or reason. As we’ve already seen, even if the new part was perfectly implemented all they’d do is shift to where it interfaces with the real world (“I hit A and it changed it to B!”, “These people weren’t eligible to vote and I just know they voted for the other guy”, etc.). Since it wouldn’t be perfect, it would just afford new angles for misrepresenting things to a willing audience – as we saw with those fake “pcaps” or claims that China was connecting to the voting machine servers.
And for people who vote when you have to physically come to vote it's not only require effort, but also motivate their peers and family to do the same. And it's good starter of real world political discussion.
On other side if voting made low effort and truly remote and anonymous then it's will degrade people's involvment in process even more.
PS: Good podcast episode about how social networks decrease people's involvment in real world politics:
Hidden Brain: Passion Isn't Enough
https://podcasts.apple.com/us/podcast/passion-isnt-enough/id...
There is not a single person on earth who could audit an entire federal election on their own. There are multitude people because you need multitude people.
I could audit an election in the blockchain tomorrow.
We, it actually is. Audits serve to verify the results from one or more constituencies. Unless you somehow believe that each and every constituency has bee tampered with, you focus your attention onto the "tiny subset" that you deemed questionable.
> There is not a single person on earth who could audit an entire federal election on their own. There are multitude people because you need multitude people.
I don't understand why you feel that's relevant. An election involves public participation, and the goal is to ensure the public that the process is fair and reliable. If enough people find that the results are not reliable in any way then they are able to verify it themselves. If however only half a dozen voters in a universe of a few hundred thousand voters disagree with the result, and the vast majority of the electorate doesn't agree with the half dozen sceptics, then where's the value in it?
I mean, this whole hypothetical scenario relies on the assumption that a party/candidate that has a sizeable support is somehow not able or interested in verifying election results, but a single isolated individual is?
The whole point is that they can't. They need to rely on other people to verify the results. They cannot "verify it themselves".
> hypothetical scenario relies on
The hypothetical scenario relies on wanting the benefits of digital voting (of which there are many) without the major downside (of which there is one). A publicly verifiable ledger gives you the benefits of digital without the major downside, which is that generally with anything digital you can commit fraud at scale.
No, you could confirm that a set of electronic records was internally consistent. That is only a small part of an election audit: you'd also need to confirm that only eligible voters voted a single time each and that their vote was recorded the way they intended.
Needing a multitude of people is a security advantage of the current system: it means that any attempts at cheating need a ton of people, from both parties and the local government, to collude together because there's no way to automate changing thousands of paper ballots and the corresponding seals — the real world doesn't have an “UPDATE votes SET …” shortcut.
Contrast that with a blockchain system: when it's challenged, you're in one of two situations. If all you have are electronic records, you've just reinvented the Diebold scandals of the 2000s where you're trying to assess how much you can believe that a complex software system does not contain a bug or exploitable flaw because there's no solid proof. If you use voter-validated paper ballots, you do a standard hand recount — and you don't need a blockchain at all because the thing providing security is the robust well-tested paper balloting system.
The paper ballot is like counting with an abacus: you need to actually witness the proceeding to be able to verify the accuracy of the result.
A vote on a public ledger is easy to verify, even with an extremely rudimentary understanding of the technology, and the verification can be performed at any time in posterity.
Auditing is generally impossible with paper voting.
Not in principle, but it is incompatible in principle with anonymous ballots. When an explicit goal of the system is that it's impossible to answer the question "where did this come from?", an audit is dead before it starts.
What would you think of an "audit" of a company that concluded, in full, "they have $15,000,000 of assets"?
Electoral roll exist, counting of people voted vs total number of ballots per area is possible, etc. Exit polls also exist.
Yeah US have it's thing with vote-by-mail especially due to covid, but before that most of important data points were easy to audit.
> Electoral roll exist, counting of people voted vs total number of ballots per area is possible, etc.
Lyndon Johnson probably committed election fraud. There was no problem with the number of ballots. There was no problem with the electoral rolls. Vote counting is of course not an instantaneous process. It did happen that some votes for Johnson were discovered late. And it's interesting to note that the voters who cast them voted in alphabetical order. But that could be a coincidence.
What if they'd voted in a different order, by a less lopsided margin? How would you audit the ballots?
> Exit polls also exist.
Considering the most recent news about exit polls is "they're diverging from the actual results and we aren't sure why", this isn't a very strong point.
There’s only one part of this which isn’t wrong. You can verify that the ballots were given to registered voters at a particular polling station where they were sealed, transported securely, and tallied without the seals being broken – these days, all with video surveillance except for the actual person filling out the ballot. The current system does that with a mix of bipartisan volunteers and government workers, making it hard to tamper with unless you have a truly massive conspiracy which manages to avoid revealing any trace of its existence.
The only thing you can’t do is say that person A voted for candidate B, because that would guarantee attempts at coercion.
This is not even a requirement of a legitimate ballot. How are you supposed to "verify" something that isn't true?
This is one of the major reasons why all of those election lawsuits failed: an alleged tampering scheme would need hundreds of people altering many thousands of records, and it would need to involve members of both parties and city employees without leaking any trace of its existence. One very nice property of physical seals and paper ballots is that you can't alter them without doing a lot of manual work which would obviously be different from normal activities. The conspiracy theorists tried but they couldn't come up with a remotely plausible way that people could have been shifting truck-loads of ballots around in perfect secrecy.
For me a better system would be something closer to the certificate transparency system. There should be a way I can match something I know + something I hold to a cryptographic log entry that is publicly available but not reversable to my identity. If I dispute my vote record, I can challenge it using my secret information and quickly expose that my votes were tampered with.
All of that said, our current systems are possibly the worst convoluted highly-hackable-by-design systems. Engineers have testified before congress that they were told to make them weak intentionally. This just leads to engineers being silenced. Pen-testers get in trouble for exposing these systems being intentionally weak. It feels like this is the desired end-state as it just keeps happening.
How can a legitimate challenge be distinguished from one by malicious actors who want to nullify the election even though their votes were counted correctly?
In absence of such requirement voters may as well be able to issue a message which invalidates the vote and can be collected by a third party. Then the invalid votes tallied collectively could be used as legitimate reason for nullifying election result.
Results at certification would be in exact accord with the people's votes it would also be massively corrupted by undue influence of ones neighbors, family, employers, spiritual leaders, anyone with the money to buy votes, and so forth.
I do not understand how we could maintain a secret ballot and rely on a public registry of votes even if turning public vote into actual results required a secret. I also don't understand how the public could be sure that such results weren't silently corrupted even if it could in theory work.
No blockchain is going to solve this. Not ETH, and not Altman's Eye scanning surveillance coin.
At best a blockchain voting system can be used to audit that your own vote has not been tampered with, but you cannot possibly know who every other voter is to assert that Sybil has not voted more than once.
Get real.
Newer designs have recognized the need to prevent authority to know who voted for what. However in doing so they do obstruct the evidence that a legitimate voter had voted at most once. Often the evidence includes either to trust the system or officials with confidential access who can audit the system which can be meaningful if the system is software independent. However then we are left with problem that auditors may collude... In the end the system is very expensive to maintain and ironically state elections have been more expensive than voting with a paper ballot schemes.
The net result is that elections electronic voting systems are equivalent to a single ballot box which is supervised by a small elite. The electronic part just have made it possible. In this absurd reality we may as well substitute elections with taking surveys.
just admitting you have the same problem then trying to brush past it doesn't work. why on earth would intelligence agencies allow anyone but groups they can influence or outright control to be miners and why should anyone trust that this isn't the state of the system?
you're solving the wrong problem. you can't technology your way out of political problems: those still need to be hashed out between people.
This here is (I think) the key to fixing democracy. If the citizens can vote on not just the leaders, but every long-term decision faced by the country, then we’d see people become far more invested, and much less likely to divide on party lines that are essentially grey areas anyway.
What I’m imagining is a bit of a utopia, but:
- Voting from a personal device that every citizen can use problem-free, no matter where they are
- Clear language about what the choices are, and what will be affected
- Open and available clear-language information for people who choose to dig deeper
- Ways to discuss the pros and cons without being subject to scrutiny or chilling effects
Yes people could still get fatigued. But I suspect much less so than they are by a vote that happens every 4 years and does not let them participate in the stuff that moves fast.
Which means there would be no protections against vote coercion or vote buying.
> But I suspect much less so than they are by a vote that happens every 4 years and does not let them participate in the stuff that moves fast.
The problem is that there's so much of politics that moves fast, but is also incredibly boring and irrelevant for the vast majority. The whole point of representative democracy is that we elect representatives that have the same values as we do, and then we let them deal with all the boring crap so that we don't have to.
The mistake you're making is assuming that everyone would be equally interested in every single issue that came up for a public vote, and that is just simply not the case. Just look at California that often have referendums on the ballot, and what an incredible shit-show those usually are.
Yes, definite potential issues here. Again: I’m imagining a utopia (where there is no corruption of individual voters)
“... incredibly boring and irrelevant for the vast majority”
It’s clear that an overwhelming percentage of politics is intentionally uninteresting to the public. Parties battling through intentional bureaucratic stalling, thousands of hours put in to adding loopholes that are designed to be exploited for personal gain, reams and reams of information designed to hide a simple “I don’t know”, and so-on.
If we truly were in a utopia, the choices left would be straightforward, manageable, and in less volume over time.
“The mistake you're making is assuming that everyone would be equally interested in every single issue that came up for a public vote, and that is just simply not the case.”
Kind of. Even if 70% vote in each issue, and it’s a different 70% each time, that’s a huge upgrade.
“The mistake you're making is assuming that everyone would be equally interested in every single issue that came up for a public vote”
I disagree with your take on it. It’s just as valid to say that the mistake you are making is assuming that people would be more jaded and hopeless than they are now.
That being said, I still share the sentiment of some of the commenters here, whereas the complexity of the operation has the potential to derail the whole democratic process.
Even with paper ballots, the U.S.A already has almost half of its voters going into frenzies about how the "process" cannot be trusted. That is, the process of reading check-marks on a paper and tallying the ballots, which is almost primitive compared to the protocols the article is suggesting.
If we were to use a complex suite of protocols, we could easily have another "vaccine" situation, where again almost half of the U.S.A. don't want to get the vaccine because it's "too complex to know if it's safe" (despite the basic building blocks of it being understood and having almost universal use).
I do wish I could vote from my phone, or from my computer though. That would be awesome.