Designing Voting Machines to Minimize Coercion

If someone wants to buy your vote, he'd like some proof that you've delivered the goods. Camera phones are one way for you to prove to your buyer that you voted the way he wants. Belgian voting machines have been designed to minimize that risk.

Once you have confirmed your vote, the next screen doesn't display how you voted. So if one is coerced and has to deliver proof, one just has to take a picture of the vote one was coerced into, and then back out from the screen and change ones vote. The only workaround I see is for the coercer to demand a video of the complete voting process, in stead of a picture of the ballot.

The author is wrong that this is an advantage electronic ballots have over paper ballots. Paper voting systems can be designed with the same security features.

Posted on June 27, 2007 at 12:09 PM • 32 Comments

Comments

Stefan WagnerJune 27, 2007 12:58 PM

Aren't paper votes already designed that way?

I can put my cross on the paper, and make a photo of that, but then I go to the desk and ask for a new form, because I made a mistake.

I surely can't make a video, showing how I put the vote into the box.

Conclusion: Computer voting does weaken the process.

joeJune 27, 2007 1:01 PM

is coercion really that big of a problem in the Western World, of which I must assume Belgium is a part of, seeing as it contains the capital of the European Union. Has it not been shown time and time again that the bigger problem is that e-voting machines do not accept, record, and tally votes accurately, therefore making the confirmation screen one additional necessary safeguard (at least against the "accept" part of the voting equation)?

PorkBellyFuturesJune 27, 2007 1:43 PM

"I can put my cross on the paper, and make a photo of that, but then I go to the desk and ask for a new form, because I made a mistake."

Or use the eraser at the end of the pencil.

"is coercion really that big of a problem in the Western World"

Does anyone have a way of estimating the size of that problem? There may be special cases, like members of a specific group or community being coerced by community leaders.

Possibly a bigger parallel problem is vote buying. If you can prove your vote to someone else, it becomes possible to market your vote to bidders.

If the system is designed to make it impossible to prove who you voted for, then vote buyers would have to be stupid because they can never know if they got what they paid for.

Pedro FortunyJune 27, 2007 1:51 PM

To Joe: not that *big* problem but we in Spain know it *might* be in the Basque Country (especially in small villages).

However, as Stefan puts it, computer voting makes things even worse (apart from the fairness assumptions).

(BTW even though the CIA says Brussels is the capital, the EU has NO capital).

partdavidJune 27, 2007 1:51 PM

I live in Oregon, where we have vote-by-mail. It's not a problem (and anyway, any such system that allows absentee voting "allows" vote buying or coercion).

The idea of some army of vote buyers subjecting people to videoing their votes, or even taking pictures of them, or verifying photocopies of absentee ballots, or anything like that, smacks of movie plot threat to me. It's just not practical to apply enough pressure en masse to sway the outcome of an election even in a single precinct, without it coming to the attention of the authorities. We don't need absolute countermeasures against provable votes, we just need to make it marginally hard to do, the scale of participation does the rest.

Where the security is needed is in the process of what happens after you vote. Boxes of votes, the electronic transmission of votes, counting at the recorder--these are the processes that are far more subject to fraud. If ever we spend time and energy protecting the integrity of the voting process, that is where we must spend it. It would be a bad trade-off to make it harder to steal votes by coercion (by adopting electronic machines with anti-coercion features) and easier to steal votes by messing with the vote handling (by adopting machines at all).

IngvarJune 27, 2007 2:02 PM

Sweden uses paper-based voting. The way it works is by having standard-sized paper ballots (edge-marked to identify the race it's valid for, both by base paper and by dash-markings). You can photograph these as mush as you want, but nothing bars you from bringing multiple ballots in (they're pre-printed with parties and names, you can strike name sout, if you want; there's also "blank" ballots you can write whatever you want on) in behind the voting screen. You then stick ONE ballot paper in an envelope (with small cut-outs for the edge markings), one envelope per race, and take them over to be dropped in the ballot box (called, for some reason, the "voting urn").

While there are ample places to obtain evidence of your compliance with a vote-buyer, it is easy to provide that evidence and vote otherwise. You wil NOT be allowed to be behind the voting screen with anyone else in attendance (I think you may get assistance from election room attendants if you're infirm enough to need it, but you can't bring your own help).

On the whole, it's a fairly well-designed system, it's entirely apper-based and has some extensions to make revocable postal votes (so you can submit postal votes in advance that are voided if you vote in a poll booth), by the simple expedient of collecting your postal votes in an identifiable envelope that will be shredded if you then turn up at the polling station.

alfJune 27, 2007 2:16 PM

Coercion can be a real problem with "vote by mail" schemes. There have been reports of vote buying in Spain using this method. You fill the forms with the "mafioso" standing in front of you, put them in the special official envelope, and he walks you to the post office. You have to submit the envelope yourself, with proper ID, but if the guy purchasing the votes keeps an eye on you during the whole process...

This kind of voting is meant to facilitate voting by expats, or people that won't be available for voting on election day.

I agree paper votes are better. Just don't allow voting by post. Expats should vote in the nearest consulate or embassy.

Alf

Stephen CrimJune 27, 2007 2:19 PM

I would consider vote sales to be an issue of law enforcement more than one of system design. It seems like something that tax and finance records would uncover very well.

As an American with growing distrust of the establishment and its ability to conduct itself honestly, I would far prefer a system that offered me the chance to ensured that my vote was counted and to see my vote part of a larger, verifiable public account. Something that produced a token associated with the vote as it was counted broken into two parts, one a printed record and the other something mnemonic that could be displayed securely.

Such a system would allow bullied voters to "misremember" their mnemonic token when asked for proof of their voting record, shrugging and cursing their memory when the record it matched didn't match the desired outcome.

Jef PoskanzerJune 27, 2007 2:32 PM

I think vote coercion used to be a big problem and then it was pretty much solved. Thinking that just because it's not a problem right now we should let it make a comeback is an error.

FooDooHackedYouJune 27, 2007 2:45 PM

So, I would imagine that this would not be a big problem in Belgium but rather "third world" nations were this type of coercion is more likely to occur.

AnonymousJune 27, 2007 3:28 PM

@Stephen Crim: Read Ron Rivest's Three-Ballot paper. He has an interesting scheme for making ballots both verifiable and impossible to prove. It's fairly simple (no cryptography used) but it still may be a touch too complicated for general use. Every tiny bit of complexity in a voting system risks disenfranchising the less intelligent.

rapier57June 27, 2007 3:30 PM

Well, here in King County, Washington State, we register and allow dead folks to vote. Most of those use the mail-in ballots. Coersion and vote buying takes on a whole new character here.

dragonfrogJune 27, 2007 4:11 PM

@partdavid

Coercion doesn't need to be extensive in order to be effective.

A hypothetical example: one candidate is preferred by conservative male heads of households, and another is preferred by women and young people.

In each of a hundred thousand households, the patriarch makes sure that the mail-in ballots of his wife and 1.2 children are filled out "correctly", then gathers them up and mails them all together.

In that situation, there's no need for an organized army of vote-buyers; you just need entrenched powers within each family, who will act independently.

Didier StevensJune 27, 2007 4:24 PM

"I can put my cross on the paper, and make a photo of that, but then I go to the desk and ask for a new form, because I made a mistake."

It's really not that simple here in Belgium, I know this because my wife once requested a new form (when we still voted on paper). It took a lot of time to convince the "officials", because many of them believed it was illegal to provide a new form, and then there was a lot of red tape before she got the new form.

So here in Belgium it's much simpler to back out of an electronic vote than out of a paper vote.

BTW, there is no eraser on the pencil, and every smudge is a reason to invalidate a ballot.

QuercusJune 27, 2007 4:27 PM

I agree that security in vote confirmation, counting, and recounting are more important, but that doesn't mean it's a bad idea to try and make a system that defeats coercion/vote-selling.
Of course it seems kind of silly, given that I don't have to present any kind of ID when I vote, just be able to say the name and address of someone who is registered but hasn't voted yet that day.
Am I the only one who thinks that's a security hole?

kybJune 27, 2007 4:39 PM

In particular, I can't see what the anti coercion mechanism that he's talking about is. Having a step that asks you to confirm your vote that doesn't show your vote is pointless. The whole point of confirming is to make sure that the machine has got it right. Adding what your vote was to that screen wouldn't enable coerction, because you can still back out and change your vote.

The important page that mustn't list your vote is the "thank you for voting" page. But I find it hard to believe that any system has that, because if it did, people would leave the booth, and the next voter would be able to see the vote.

Videoing the whole process is likely to be enough of a pain that it would only ever be a tiny problem, if it was a big problem the authorities would quickly find out about it, and at that point, something could be done.

Still, for best safety against coerction it might be better if the actual casting of the vote part was done in public, where officials can verify that there is no filming or picture taking, and only the selection of the vote done in private, and possibly done multiple times. This is quite easy to do with paper systems, but somewhat harder with computer systems.

supersnailJune 28, 2007 2:32 AM

I am currently resident in Belgium and can say with some confidence that trying to fix an election in Belgium would be an uproductive waste of time.
The fix is already in! The incumbent parties have installed a proportional representation system which effectivly leaves the choice of winners to the party bosses. After the election an informal "smoke filled rooms" and "I knew him from school" system ensures that the same faces end up in government. Under this system a prime minister with an approval rating of only 30% in the opinion poles can get re-elected.

The only effective form of protest for Belgian citizens (who legally must vote) is to vote for extreme Left wing (as favoured by french speakers) or Right wing (as favoured by dutch speakers) parties.


AnonymousJune 28, 2007 2:54 AM

@ Ingvar

> revocable postal votes

alf and other subsequent posters call for banning postal voting because of the coercion issue while totally ignoring this part of your comment. I think they actually have a valid point, since the local voting-coercion boss could easily hire people on election day to do surveillance of the polling station(s), to check that no one whose postal vote was coerced will later show up to invalidate it.

The only way out of that problem that I can think of (not including disguising oneself, etc.) is to invalidate votes from anyone who sends in more than one postal vote. But even in this case, the coercive agent has effectively disenfranchised you.

GregJune 28, 2007 6:29 AM

@supersnail

Welcome to the wonderfull world of democracy.....

That particular discussion has been going on since roman times.

We all call the smoked/mirror room different things. But we all pretty much have em. ... err except perhaps china ;)

a voterJune 28, 2007 8:23 AM

@Stefan Wagner
"I can put my cross on the paper, and make a photo of that, but then I go to the desk and ask for a new form, because I made a mistake."
Nope, it doesn't work that way.
The buyer goes in first, but instead of dropping the vote into the box, he takes it outside.
The seller gets this vote already marked for the correct vote, goes in, drops this vote and brings out an empty one.
The only thing the seller can do is not voting (or maybe invalidating the vote), but he can't vote for somebody else, unless he asks for a replacement empty voting form (which causes a lot of stirrup, and vote-sellers don't usually do this kind of things)

supersnailJune 28, 2007 8:33 AM

The standard procedure for buying paper votes goes:-
Election Rigger:
goes to booth.
gets ballot and marks vote of choice.
puts ballot in pocket.
Punter 1:-
gets marked vote from rigger.
gets blank ballot.
pretends to mark it.
places amready marked ballot in box.
hands blank ballot to rigger.
receives payment.
Rigger.
then marks ballot with vote of choice and repeats for each punter willing to sell thier vote.

DamonJune 28, 2007 9:48 AM

I think the Three-Vote system is brilliant and if I were setting up my own country, I'd use it blended with an instant runoff voting structure. However, the weakest link here is the inability of the vote-sellers to lie efficiently. The vote-buyer will buy votes from those he can "read."

dragonfrog makes an excellent point about systemic voting influences that I believe to be much more significant than some underworld type going door-to-door offering $100 to anyone who'll vote a certain way. Another example of these systemic influences is the work environment. "So, did you vote that bum out yesterday?"

We should continually strive to make our elections fairer and more free, but we should recognize which windmill deserves the first tilt. We need to inculcate a societal norm that voting is a sacred duty. Start by:

1. giving people a half-day off from work on election day,
2. extending political debates from 60-second soundbites to full-on policy discussions, and
3. drafting election workers like we do jury duty

PorkBellyFuturesJune 28, 2007 10:00 AM

@a voter: "The buyer goes in first, but instead of dropping the vote into the box, he takes it outside."

Two problems with your scheme:
1. Taking a ballot and not dropping it in the box would raise suspicion. Those things are tightly controlled. In Canada that would be detected because after you mark your ballot you have to fold it, and then an election official tears off a piece and you deposit what remains in the box.

2. The larger issue with your scheme, even if you could walk out with an unsubmitted ballot, is that the buyer has to surrender his right to vote in order to buy someone else's. He can't walk in and get a second ballot, because any election system has measures to prevent someone from voting twice. So what does he gain, exactly?

DBHJune 28, 2007 10:08 AM

Doesn't this fail the VVPT? And wouldn't that always be susceptible to vote buying or coercion since you can always take a pic of the paper trail?

Really, the only way to prevent it would be to prevent cameras from being placed in the booth, or prevent them from working. Maybe you have to look through a special lens at the paper which won't allow a cellphone camera to focus on the paper? Ever try to take a pic thru a microscope? (You have to remove the objective...)

DBHJune 28, 2007 10:09 AM

Doesn't this fail the VVPT? And wouldn't that always be susceptible to vote buying or coercion since you can always take a pic of the paper trail?

Really, the only way to prevent it would be to prevent cameras from being placed in the booth, or prevent them from working. Maybe you have to look through a special lens at the paper which won't allow a cellphone camera to focus on the paper? Ever try to take a pic thru a microscope? (You have to remove the objective...)

Anonymous monkeyJune 28, 2007 12:29 PM

To PorkBellyFutures:
Item 2. is not an issue, as long as the vote buyer can buy more than one. If he surrenders his own vote in exchange for, say, ten, he will net nine votes.

JannaJune 28, 2007 4:29 PM

Isn't anyone concerned about our votes in this country? Here in Sarasota we're trashing our touch screens just to replace them with ballot scanners that are still independent vote tallying machines. The tallied votes are networked to the mother computer. Punched cards were actually more secure. It was the aftermath that was the debacle. Unless an election is challenged and paper ballots verified and counted by hand, we won't even know if the ballot scanners are counting the votes correctly.

TSKJune 29, 2007 5:44 AM

Are people getting so incredibly naive about the problems of voting ?

The system in Germany:
- You get a letter where to vote
- You walk to the location, showing
either your letter or your ID card.
- You get *one* vote paper and an
envelope
- You move behind a screen *alone*,
choose your candidate and put your
sheet into the envelope.
- You move to the table and the
canvasser opens the urn to let you
drop the envelope. He will not let you
drop the vote if you try to give your
vote *openly* or *documented*.

If you accidentally crossed the wrong candidate, you walk to the canvasser and exchange your vote sheet with another. -> back to the screen

- After the end of the voting, the canvassers consisting of different parties count the votes. If differences arise, the votes are recounted.
- The vote *is* the documentation. If a party suspects fraud, the paper sheets can be always recounted.

Simple. Effective. Very hard to manipulate (One idea is to hide a small
camera, photograph your vote behind the screen and throw in the first envelope. But it doesn't prevent to drop an invalid vote by crossing several choices after you made your photograph).

The former East Germany and other regimes behind the iron curtain had also votes, but

a) you *must* vote. If you don't do it, you will face...disadvantages. (It prevents people to sabotage the vote by
ignoring it and removing therefore the legitimation of the current ruling party).

b) you have a choice between different candidates of one party (so you can't claim that there is no choice and therefore no vote). But one of the candidates has naturally much more charisma and ability than the other candidates (He has the support of the party and much influence on the police, but that is a minor detail).

c) you are so very proud of your country and of your opinion that you vote openly; *everyone* can see that you fully support your party (If sight screens are offered, you naturally dismiss such
opportunities for people who can be only cowards if they don't vote openly).

d) You may use the sight screens and nothing will happen during the vote. But afterwards, well, you may face...disadvantages.

Both turnout and acceptance of party leaders got consistently over >95%.

TSKJune 29, 2007 6:14 AM

Addendum:
Don't take the "naive" personally, but I really find it incredible that the painful lessons of history concerning the former iron curtain countries seems to be ignored.
Coercion, either positive (bribing) or negative (threat) *is* a severe and proven problem and not a theoretical one. If you want to wait until the first problems arise, you may be badly surprised by the fact that it is too late to counter them.

AnonymousJune 29, 2007 1:54 PM

@pardavid, "...without it coming to the attention of the authorities."

why do you assume the authorities are not the perpetrators?

checks and balances only work if the assumption that nobody has a finger on the scale is valid. Opposition poll watchers can only attest to accurate counts in their presences, not about coercion behind their backs.

WooJuly 2, 2007 5:45 AM

If elections could change anything, they would already be outlawed.
What good is the most secure voting protocol if there's no choice I would be willing to vote for? I don't know about most other countries represented here, but in .de I'm mightily pissed atm.

meAugust 11, 2007 2:35 PM

A small enhancement that only partially protects from a very rare event added to a flawed system does not make it any better.
Electronic voting is hopelessly broken, unless you're the politician who signed the contract.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..