VBM and vote buying

| Comments (4) | Voting
In the comments section, Dan Weber points out that remote voting systems are in general fairly susceptible to coercion and vote buying attacks. For concreteness, let's say we're dealing with one of the systems in which you fill out your (anonymous) ballot and then stuff it in an envelope with your name and signature on it. In order to sell (No way am I going to write "or appease your coercer" after every instance of sell. Just take it as read.) your vote you wait until you have received your ballot, then sign the envelope and give both the ballot and the envelope to the person buying your vote. They fill it out as they like and mail it in at their convenience. [Note that one could make this attack very slightly harder by requiring people to sign over the envelope flap so that the envelope had to be sealed before you signed, but even then the attacker could just fill in the ballot and then have you sign the sealed envelope.]

This is sort of a generic problem with all remote voting schemes, at least the non-cryptographic ones. The only real defense I know of is to permit voters to cast multiple ballots with only the last one counting. The idea here is that I would give the attacker my vote by mail ballot and then cast a "real" vote later, either in person or remotely [note that this would require treating ballots as uncontrolled items, which, as I said, isn't always true.] This doesn't seem like an entirely satisfactory defense for a number of reasons. First, it depends on a large fraction of people selling their votes deliberately trying to cheat the buyer. In practice, it seems likely that many won't, in which case the attacker will have a pretty high success rate. Second, if the attacker has any way of knowing whether people voted multiple times—even without knowing how they voted—then they have an opportunity to punish defectors (or at least not pay them). It probably only takes a small probability of that happening to deter defection.

Now, it could be that the convenience of vote-by-mail is worth enabling this kind of attack. That's a policy cost/benefit type question, but from a technical perspective I'm not sure how to remove this attack with conventional (i.e., non-cryptographic) systems, so it's something that needs to be considered when deciding how much VBM to have.

4 Comments

I don't think either of your arguments against the last-vote-counts system quite works. First of all, if vote-sellers can be relied upon not to cheat buyers, then that honesty would apply even in a secret-ballot system. And if the system keeps the number of ballots per voter secret, then an attacker who can compromise that secrecy can presumably compromise the system's secrecy in other ways as well--possibly including knowing the mapping between ballots and voters.

A stronger argument against last-vote-counts is that in practice, there's always a deadline beyond which submitted votes don't count, and the vote-buyer and seller can collude to ensure that the purchased vote runs up against that deadline, making subsequent valid votes unlikely or impossible. More generally, any multiple-vote-based countermeasure to vote-buying implies some kind of signaling mechanism by which the voter indicates that one particular vote is the "authentic" one, and it's hard to see how the system could prevent vote-sellers from opening up this signaling mechanism to a vote-buyer, to assure the latter that the vote has been duly sold.

(You allude to cryptographic methods for avoiding this problem, but I'm not familiar with them. Perhaps you could elaborate?)

I'm not sure I find your counterarguments that compelling. (1) There's a difference between just not doing your part of the bargain and deliberately doing *more* effort to cheat someone. (2) Sure, you could keep the number of ballots per voter as secret, but now you've introduced a new security invariant: the envelopes themselves need to kept secret. This wasn't true before.

As for cryptographic methods, I was mostly just hedging my bets, but my memory was that many of the cryptographic end-to-end voting methods offered receipt-freeness.

At one point, for a paper that got rejected, we worked out a variety of paper-based vote-by-mail methods that could address this. One variation was to send a random number of ballots to each voter. Then, if somebody wants to buy your ballot(s), they don't know if or when they've gotten all of them.

Another variation is to establish some kind of shared secret between the voter and the election authority. Then, on each ballot, you have the choice of either putting the true shared secret (or some value derived from it) or just making up a number. A coercer would never be able to tell the difference, but the election authority rejects ballots without the proper shared secret.

Thanks for the post dedicated to this. The Red Cross example got me to thinking that we break voting into two components: a vote-by-mail phase, and a verification phase, where everyone goes into a private booth and quickly confirms/denies their prior vote.

But this loses a lot of convenience of voting by mail in the first place, so much that you wonder why you would even bother implementing such a system. Maybe let people show up to privately invalidate their prior vote, but that requires extra work on the part of the voter. It might be a pretty good guard against vote coercion, since a sufficiently offended voter would find a way to invalidate his vote.

The desire for a private, un-buy-able vote is the bugaboo of so many voting systems. If we were to get rid of that requirement, we could quickly design a very accurate voting system in which everyone knows who everyone else voted for. But I don't think this is a good idea; the silent vote is a check against mob rule.

Leave a comment