Open electronic voting (evidence against the contrary)
Following in the footsteps of the habratopik and many others about anonymous , open , honest voting, I want to conduct an independent investigation and come to a simple and understandable decision on what is achievable and what is not, and under what conditions.
To put it in terms close to programmers, find a CAP for this task. For example, everyone knows that by reducing the error of the first kind, the error of the second kind increases . Having drawn an analogy, reducing anonymity, we increase the reliability; increasing anonymity, we decrease reliability.
In general, in order to be objective, and not unfounded, we use the method of the excluded third (the method of the contrary). I hope that representatives of intuitionistic logic will not mind.
Further considerations do not seem obvious and can be considered as compromises or options. And, yes, I do not exclude that in theory all voting systems already use these theses.
Based on the theses above, I will give a voting model that seems simple to me and satisfies the stated requirements. Everyone, as before, goes to polling stations with a randomly unique number (generated in advance or at the polling station), but known only to the voter. Then the pair number-choice + group attributes is placed in the ballot box or immediately sent to the CEC. Where it becomes available after 10-30 minutes in a common base (a delay so that it is impossible to track the voter in time).
In order to exclude all statements, I voted for one, and changed my vote (This is always possible in an anonymous system!), The following procedure is carried out.! A person is invited to check the result, after eating a pie and 15 minutes of waiting, and if something does not match, write a statement with the competent authorities and change your voice. Of course, this procedure instantly deanonymizes a person, but allows him to make his choice!
This model does not guarantee that any election may take place. If, for example, having come home> 20% of the population did not find their results, or group indicators have deviated far from the census rate, of course, the elections should be invalidated and held again.
Thanks for attention.
To put it in terms close to programmers, find a CAP for this task. For example, everyone knows that by reducing the error of the first kind, the error of the second kind increases . Having drawn an analogy, reducing anonymity, we increase the reliability; increasing anonymity, we decrease reliability.
In general, in order to be objective, and not unfounded, we use the method of the excluded third (the method of the contrary). I hope that representatives of intuitionistic logic will not mind.
Abstracts
- The results should be open to everyone and verified by everyone, by counting votes.
Suppose the results are not open. That is, the results are not published, in general, or one, two numbers are published, that is, only the final results are available. This looks unreliable, because on the way from the results to the final results, an error could occur that affected the result. In any case, if all the results are not accessible to everyone , conflicts, misunderstandings and double counting may occur. In fact, the situation that all the results are available only to a limited circle of people should be considered discriminatory and unacceptable. So, the option with closed results is not applicable! t.d.
Actually, there are methods for checking the results on indirect grounds (exit poll, distribution of voting time depending on the votes), but all these methods are complex and have a major drawback, they are indirect .
Conclusion . According to the results of voting, a base (table) with all votes and choice should be published. - Anyone should be able to verify their voice against a published database.
Suppose someone cannot check how he voted. Hence, it is possible that someone in the middle could change his voice (MIM problem). This is extremely undesirable and unacceptable. t.d.
Of course, following the rules of simple anonymity, we do not want the name + address of the person to be written in the database. So there must be some key known only to the person himself! - The key should not be issued by any authorization center.
If you imagine that the key is issued by some center, then this center has all the data to match the person and his voice (the base of votes published). Even with unlimited trust, the center (or someone else) can always abuse it. So, we will consider this aspect of deanonymity as undesirable. t.d.
It is worth noting that the secret of determining the key and the secret of voting are in no way connected. For example, in most cases it is impossible to ensure the secrecy of the vote, even using the Internet and https (always someone can stand behind him). - The database of votes should contain some group anonymous, but verified signs.
If the database does not contain any secondary characteristics regarding a person, then it is extremely easy to cast votes, which is not desirable.
One of these signs may be the total number of votes. The obvious fact is that the number of votes should not exceed the number of people. You can also include the sign gender or polling station or time (?) Of the vote. For example, independent observers can check the number of people voting in one polling station and use this to verify results.
Further considerations do not seem obvious and can be considered as compromises or options. And, yes, I do not exclude that in theory all voting systems already use these theses.
Working model
Based on the theses above, I will give a voting model that seems simple to me and satisfies the stated requirements. Everyone, as before, goes to polling stations with a randomly unique number (generated in advance or at the polling station), but known only to the voter. Then the pair number-choice + group attributes is placed in the ballot box or immediately sent to the CEC. Where it becomes available after 10-30 minutes in a common base (a delay so that it is impossible to track the voter in time).
In order to exclude all statements, I voted for one, and changed my vote (This is always possible in an anonymous system!), The following procedure is carried out.! A person is invited to check the result, after eating a pie and 15 minutes of waiting, and if something does not match, write a statement with the competent authorities and change your voice. Of course, this procedure instantly deanonymizes a person, but allows him to make his choice!
This model does not guarantee that any election may take place. If, for example, having come home> 20% of the population did not find their results, or group indicators have deviated far from the census rate, of course, the elections should be invalidated and held again.
Unresolved Issues
- Anonymity of voting . Strictly speaking, I do not know how it can be solved. In principle, classical methods work quite well: an urn, an individual room with a computer or a voting apparatus.
- Incorrect vote counts and competent authorities . In any system with anonymity, it is not possible to verify who the person actually voted for. Therefore, it is highly likely that a certain group of people will constantly disrupt the elections due to the huge number of “dishonest” statements. At the same time, this may be a sign of constant fraud. Which of the two is difficult to determine.
- Deanonymization through group attributes . For example, the site number is a group feature, but oddly enough, some sites can be small and closed enough to easily identify the voice of a particular person. Control method: increase aggregation of a group trait.
Thanks for attention.