Paper elections are cheap, reliable and more importantly trustworthy even to people that have no idea what a symmetric key, hash or blockchain even is. But we had to go and screw up by creating extremely insecure voting machines and then come up with crazy schemes like this one to fix them. Do people really think all this complexity is a good thing? Paper elections are very well understood but you can easily come up with various exploits to at least disrupt an election under these systems. Once you give me all this shiny new attack surface I can:
- Hack the voting machines to just turn on the "duress" mode for everyone, or do it just in the precincts that tend to vote for my opponent
- Use my great new paper receipt to prove I have voted for candidate A and collect my bribe as if the paper receipt doesn't encode the candidate it's useless. I don't care to verify if my vote was counted if I can't verify that it was counted for my candidate
- Hack the voting machines to record candidates at random ignoring the key presses, turning the election into disarray
- Selectively deny network access at polling places to create longer queues at the sites where my opponent is stronger
I'm sure you can cause a riot or two pretty easily. The fact that paper is dumb and paper elections use extremely simple technology, math and process is a feature not a bug.
Paper voting doesn't allow for much more citizen involvement than most "democratic" countries have today. You can hold elections every few years, maybe a referendum once or twice a year at most, but any more than that and it becomes inconvenient, inefficient and not so cheap.
As a citizen, I want to be more involved. Even in a representative democracy, I want to hold my representatives responsible for their actions. I want to be able to recall them. I want to support some bills and oppose others. I want to have votes in my local community about building a playground or whatever. I may even want to propose policies and have other citizens vote or maybe even crowdfund it.
While I do not support this specific proposal, I think we should move on from paper elections.
Some context: Switzerland has votes on issues about four times a year, and they managed to do this with paper, mostly via mail (if someone local knows otherwise, please correct me).
Recently they tried out e-voting, with what I consider predictable results:
Also, I agree with ianstormtaylor in that I don't think that what you're proposing would necessarily be good. You need a political system that you trust will promote wise decision makers, and then you need to not micromanage them. If the people who get elected can't be trusted to make good decisions on a scale of several years, then the political system needs to be corrected, not expanded.
> If the same security demands were required when postal voting was introduced in 1990, it would never have been allowed
He has a point there. Transportation, heavy machinery, power grids, cruical infrastructure, healthcare, economy and so on all increasingly run computer systems with questionable security. Lives and world order depend on them. Are we really going to draw the line at voting? (edit: expanded on this point a bit)
Trust on the scale of several years is a difficult thing. People go from lovers to archenemies in that time.
But yes, some long term projects do need stability and long term support to become fruitful. You could introduce constraints to support this, or trust the voters to take it into account.
But even more important than time is the granularity of trust. Just as in everyday life I trust different people to different degrees in different domains, I would love to have a voting system that reflects this with regards to political representatives or activists.
Yes, we need to draw a line at voting. It's a single event, where a choice that can be encoded in a single byte of pure information has enormous consequences in terms of power allocation.
If you can change that byte across even a small percentage of voting machines, you can leverage that into control of the country's government.
All of the examples you listed are continuously running, auditable, highly heterogeneous systems that can have multiple parties cross-checking because there isn't the absolute need for the actions of the participants to be untraceable back to them, the way it needs to be with voting.
I work with government often. I am often outside begging to be given access to help my community with one civic project or another. Interactions that take hours in open source communities, take months to coordinate with City staff.
I'm the last one to advocate taking the brakes off the car, but there are many many many parts of government where decisions require several years only because everything takes years to do. I think there is a perspective, if you step back to imagine this world, where we as citizens can participate and make the turn-around quicker. Not everywhere. Many government functions require care and caution and sober second/third/fourth thoughts.
But many of these actions need not take years, if we could re-imagine something better. And right now, the lifeblood of government runs like molasses, not because each slow process has been intentionally made slow, but because the processes and practices and hierarchies are structurally slow at their core. That's not clever slowness. That's a calcifying fossil.
I personally think giving citizens more decision-making access will keep civil servants on their toes, keep them learning, and speed up the cycle time in many needlessly slow areas of government.
I see your point and often share your frustration. However, none of what you said necessitates electronic voting. In fact, it may be detrimental to the democratic process at the local level. A couple thoughts: (i) First, taking time to do something means that people that don't agree get a chance to discuss and possibly mobilize against it. (ii) More subtly, forcing people to vote between options means that the options themselves have already been codified. This process of choosing what to choose between is fundamental to local governance. A somewhat absurd example but imagine being given the choice between reducing the tax rate on the wealthiest people to 20%, 15% or 5%. Sure, we can vote on that but it doesn't seem very democratic...
I hate to agree with President Obama on this topic but I have to agree with him. The first problem we need to tackle is not to fix the electoral process. The first problem we need to tackle is getting people to actually care enough to show up and show up in large enough numbers so we can effect change.
Where is you evidence? Bribing voters is too difficult and expensive to be worthwhile. It's much easier to block the people through voter suppression laws.
Is that actually a good thing though? (I'm honestly not sure.)
I would think that as the response time becomes shorter and shorter, the system starts being more and more volatile. One of the benefits of the current system is its stability. It's unfortunate (depending on your point of view) that certain causes don't move faster, but at the same time it also prevents bad ideas from moving fast.
Not only that, but as the involvement is more and more frequent, it might have the effect of numbing people more. Right now national elections are a big deal because they are so rare, so it adds a bit of "moral weight" to the whole process. If they are as easy as pulling out your phone and tapping a button from your couch, is that actually going to result in more "correct" (in terms of long-term viability) decisions being made?
These things might not actually matter though, because they might have equal and opposite benefits that balance things out.
I'm sure many people smarter than me have debated this topic from both sides. If anyone knows of any articles/papers on these ideas I'd love to read them!
Initially it would probably be a mess. But I also think more involvement is the only way to build a more responsible, informed, interested citizenry. People need to feel that they can affect things, that they have a say in policies.
I think a lot of people are indifferent because it doesn't seem to matter whether they vote for the red or blue team every few years, <insert favorite cause> doesn't seem to be improving. If they had a slider to set their preferred allocation of public spending and they could vote on specific proposals about <their favorite cause>, they would probably be more inclined to participate and do so in a more responsible manner.
You can't force people to participate though. Maybe you could optionally delegate your vote, and then it would be effectively the same level of involvement as with the current hands-off representative system. But at least you could still withdraw or reassign the voting power at any time.
One of the ways to help that feeling is to get people more involved in local government. Local government has a lot more of an impact on them and they have much more power in such matters.
It sounds to me like you would like to be a representative on your local city council, or a town board. Why not run for election? Then you can do everything you mentioned.
In principle, frequent voting might sound nice. But I don't know if it really would be in practice. (I'm not arguing a position here, just thinking out loud.) I'm not really interested in most politics, I don't really feel qualified, or compelled to become qualified, to deal with a lot of the questions that come up. I'm pretty happy to instead vote for a person (or even just a party) to represent me in most cases. I don't want to propose policies.
Lots of people in my town are retired and/or seem to have endless time and energy to devote to meddling in town business. It would be exhausting if I had to keep constant vigilance every few weeks or months to make sure these people can't enact policies, rather than just voting every few years to make sure they don't get into office.
See, that's just it. There's a spectrum of involvement. I may not want to run a campaign, go door to door to collect signatures or spend days in council meetings.
At the same time, I do want to vote directly on issues I have a strong opinion about, I'm willing to put in the effort to find different people to delegate my votes to in domains I'm not competent in. Occasionally I may have an idea I would like people to discuss and vote on. If people like the idea, they may even delegate their votes in that specific domain to me and I would be further motivated and empowered to come up with and champion similar ideas.
I think technology would allow everyone to find their sweet spot of involvement in this spectrum.
An interesting proposal in this area is Google's "Liquid Voting", which implements an idea that I've wanted to see tried for a long time.
Essentially votes can be cast on every subject (for the very interested voters), or delegated to another representative (for the less interested voters).
This could have some interesting side-effects, not all positive; I'd expect volatility and cult of personality to increase. But then that's the trajectory of politics in general recently, so perhaps there's not much more to lose. Benefits would include the ability for voters to actually enact the legislation that they want, but which no legislators will choose to implement (e.g. anti-corruption/insider trading laws).
After Brexit, I'm not sure I and many others would be comfortable allowing "greater citizen involvment" such as directly voting on bills or policies. I am politically against such a motion and am a proponent of greater technocracy; letting experts decide what policy is best rather than the masses who can easily be duped by demagogues or other post-truth elements.
Electronic voting is strictly more expensive than paper voting. All those machines are expensive and you still need the voting places and staff.
If you're willing to do away with the requirement that you can't prove to someone else who you voted for then you can implement mail-in voting. Still paper and you can have an election every day if you want. Some US states use that. Once you go that route a simple HTTPS website run by the government that you authenticate to is all you need for electronic voting with the same guarantees.
What fascinates me in the electronic voting is not the economical benefits of it or computers being involved, but the guarrantees provided by the cryptography. Not the paper itself, but the handritten signatures are driving me crazy.
Of course, the particilar implementation of an electronic voting protocol can be hacked. Also, some cryptographic algorithms are not proven to be completely secure, so there is a chance that someone will learn to break them. We should take those facts into consideration and be aware.
What about paper elections? Aren't they fundamentally broken because of their protocol? I go to the election, sign a ballot paper and drop it into a box. Then some people from the government report me the voting result. Why should I trust it? Because I trust all the people who were involved in collecting the ballots, counting them and so on?
Why should I trust people at all if the cryptography allows me to verify their actions?
You are afraid of voting machines being hacked? No problem, let's use paper. I'm OK with paper certifying my vote as long as my digital signature is printed on it (in hex, QR-code or whatever). Alternatively, the government can publish an open protocol of internet voting so that everyone can use an implementation that he accepts to be secure.
Should be noted that I am not very proficient at cryptography. All I know is based on a couple of books and a university course.
You trust paper voting because voting booths are operated by representatives of the different candidates. When it comes time to count no one will let their opponent steal votes for themselves. And the reason you can't add your digital signature to your vote is that you could then prove to someone you had voted for candidate X and collect your bribe.
People that want to propose complex electronic voting systems need to first understand the requirements of an election and how the paper voting achieves them. There's quite a lot of well thought-out systems thinking in paper voting that people just don't know about.
> And the reason you can't add your digital signature to your vote is that you could then prove to someone you had voted for candidate X and collect your bribe.
I was arguing against treating a blot on a paper as a certification of one's opinion rather than proposing a real electronic voting protocol. Of course, simple digital signature doesn't solve all the problems, it only certifies with known assumptions that I and only I have signed the document.
It doesn't matter what election system we have, so long as people are willing to spread and believe questionable claims of vote rigging. For example, there was a claim doing the rounds that Trump won because the GOP systematically purged black voter registrations in the three key swing states in numbers larger than his victory margin - if paper voting was used, that would just be the more prominent claim instead, or conspiracy theories about the paper votes would. (The mechanics of the supposed purge don't work out, none of the organisations monitoring voter suppression saw it, and no-one's been able to find the hundreds of thousands of suppressed voters that would be required - but that doesn't matter. People don't care, and rebuttals don't get the social media spread that shocking allegations do.)
Paper voting makes this better though. A key feature of the system is that the count is done by representatives of each candidate all counting the paper ballots together and not letting each other cheat. They also all man the voting booths throughout the day verifying that none of them is stuffing the boxes with votes. Anyone can understand and trust this system, whereas a cryptographic construct that <0.01% of the population truly understands is rife for rumors.
Voter suppression and other ways to make less people vote are the same in both kinds of voting.
When the voting lines require 3 hours to vote, single parents with small kids skip voting. Voting booths are expensive and during cutbacks, people have to travel far and have 3 hour lines. This happened in Arizona and other places in primaries this year. Friction equals far less voting. Vote at home electronically on your phone means far more voters.
Far more voters is worth complexity. Security should just something we must engineer and deliver. Maximizing people voting is the real goal, outside of engineering excuses and worries.
A lot of non technical people often ask why we can't vote online. Part of our responsibility as computer scientists is to present them with the options.
This isn't a proposal for online voting, it's for electronic voting in polling places. If you allow online voting you've relaxed your election guarantees (more similar to mail-in votes). If that's what you want a simple HTTPs website run by the government with authentication is all you need.
The value in transparency, auditability, and ease-of-understanding by the electorate can't be so easily dismissed. Compare paper currency and bitcoin. What percentage of the public trust and use cash over bitcoin? What kind of public awareness campaign would need to be launched to convince people to trust blockchain-based elections over paper? People who have studied voting in general and applying cryptographic techniques to voting also have questions about using any type of electronic devices in recording votes. It's by no means a settled question.
Paper based elections are cheaper. You need the same polling places and staff yet paper and ballot boxes are much cheaper than polling machines. Your second sentence is laughable, name a single advantage.
Looking at the "Voting Machine Security Specifications", it's a verified OS image connecting to a VPN over the internet on election day.
This means that you have to trust the:
* VPN
* OS
* Network stack
* Display and input drivers (HW and SW)
* SSD controller
* CPU
* CPU's "Management Engine" or equivalent
* Mainboard chipset
To all be free of exploits and backdoors. You're trusting many, many thousands of people, from hundreds of different companies in several different nations, to not have put backdoors in, despite the fact that backdoors and exploits have been discovered after the fact in essentially all of the listed components.
I don't say this lightly: the authors are dangerous fools. They're fools to think that this is secure enough for an election. And they're dangerous because someone in power might believe them.
You don't even have to trust the software or the hardware. All that is important is votes to be cast as intended and the tally to be correct. End-to-end cryptographically verifiable voting systems achieve that by different means (zero knowledge proofs, etc.) An example is the Pret-a-Voter voting protocol. It uses re-encryption mix nets to provide verifiability (close how Tor works).
You absolutely have to trust the software and the hardware.
Modifications at the hardware/OS level can deliberately misrepresent the voter input from the touch panel, and can then alter what is displayed on the screen to match what the voter expects.
No matter how bulletproof the encryption protocol is, it still needs to be fed a choice via an analog, unencrypted channel because human beings are analog and unencrypted. If you control that channel, it's game over.
And you can't get around that by having a system that enables people to verify their vote at a later time on a second (presumably unhacked) machine, because then you'll also enable the forcing of voters to prove that they've voted the way that they've been coerced to.
You have to trust some hardware, but not necessarily the full stack you listed above.
For example, chipTAN is commonly used in Germany to verify online banking. You have to trust the chip on the banking card and the card reader, but not your computer, network connection, or your smartphone.
A similar device may also work for online voting. The hardware would be simple enough to audit it. Your computer would never learn the vote.
If the chip has its own display and input, and every step of the manufacturing process is carried out under strict supervision by all parties, and every time there's a firmware update the entire software stack is re-audited, then maybe. You raise a good point.
There's the whole business of securely distributing the chips (so they're not swapped out with counterfeits in transit), dealing with theft (and coersion to not report the theft), etc. But yes, if you can get a never-network-connected, brutally simply, completely automated voting device into 230 million hands, then I can't think off the top of my head how to exploit that. I would move on to trying to exploit the tallying system.
At that point, though, is it really cheaper than paper ballots? Perhaps it's worth it to engage more voters, but it still seems like a terrible risk to take - I'm only very grudgingly aware of computer security matters, just because I can't think of a way to exploit it, doesn't mean that one of the 7 billion people out there won't. And it only takes one.
Also I should point out that my original point stands - what you bring up is a million miles from what they proposed in TFA.
You don't have to trust them that much, though. These are all COTS components used in every other computerized system everywhere, so any backdoors the authors want to slip in would have to impact only the voting system, and not raise anyone else's attention.
That's pretty hard. How, for example, are you going to get a CPU bug to do this for you?
I'm not saying it's impossible, but it's sort of like saying that we're fools for using gas-powered engines for the military. Thousands of people design them, so how do we know the designs haven't been sabotaged? You might be right, but you're probably wrong.
To use your metaphor, yes if the military installed a single model of identical, network-connected engine in every vehicle they own, they would absolutely be fools. A single hack could, in a strategically critical moment, disable all motorized assets - every vehicle and generator in the US military shutting down at the same time. That's a disaster.
And you don't have to put in the backdoor just for the election. You can put one in and use it opportunistically. Someone backdoored a huge amount of Juniper VPN hardware, in hopes that it might be useful some day:
These are just two examples that made the news. It's a practical certainty that there's backdoors in all sorts of COTS components that we don't know about yet. At this point there's nothing above suspicion.
For the scheme in TFA to work, they need a unhackable computer. If there is a single exploit or backdoor that happens to be in it, whoever controls it can pick the US congress, the senate, and the POTUS. Not metaphorically, literally. How is taking that degree of risk, when you know that backdoors and exploits are commonplace, not incredibly foolish?
People still look for backdoors of that type, though.
Additionally, if you really made something that specific, that was only ever discovered and used to hack an election, and the only people that could have done it were the chip vendor... how do you think that will play out when it's discovered? Or do you, as the attacker, bank on no one ever discovering this, ever?
If you're an engineer working for one of these places, how much do you have to get paid, or what do you have to be threatened with, to make this work out?
This seems much more like a novel written by Ian Fleming, not le Carre...
First, auditing the hundreds of millions of lines of code that it takes to build an OS and userspace every election and midterm is completely unrealistic. Especially given the degree of code obfuscation that is possible.
Second, at the silicon level there's billions of transistors in a CPU, silicon in general is prohibitively expensive to audit, and you can do malicious things by just putting in nigh-undetectable changes in dopant levels:
Third: you don't need to hide the hack forever. You just need to gain enough power in the election that you can suppress any further investigation.
Given the parade of hacks that make the HN front page every week, at all levels of government and industry, given that the well-funded and incredibly paranoid US military inadvertently deployed backdoored chips, given that existing voting machines have had demonstrable amateur-hour exploits in them:
I'm not sure about this specific approach. As other comments note, this is somewhat complex. That said there may be a few gem ideas.
- Did my vote get counted? (can you prove it)
- Did it get counted correctly? (can you prove it)
- Can a vote be both traceable to the voter and anonymous publicly?
The parallel to blockchain is simple. I get a "vote coin" that I can spend at the election. You can then see who has the most votes. The challenge to overcome in any block-chain approach is how to prevent votes from being bought and sold.
If done correctly you don't have to trust the hardware to trust the election. If done correctly we could vote by phone.
I wish the cryptophiles would study how real world elections work before floating their ideas.
Votebook proposes using a blockchain as a tamper evident (immutable) audit log. Because voters sign-in chronologically, recording votes in order removes the secret ballot. Votebook's proposal is to group up multiple into "blocks" and randomize the order within a block.
Randomizing the order of the votes in an audit log would simulate the secure one-way hash of dropping your paper ballot into a ballot box.
Poll sites are "bursty". During rush hour, lots of voters, so blocks will span small time windows. During midday, blocks will be large.
1 - How large must these blocks be to guard the secret ballot? Using some differential privacy mojo might determine they have to be 100 votes. I'm skeptical. It's problem even today with poll sites and postal ballots. Situations like small precincts or low turnout. In which case, Votebook is adding complexity without any real world benefit.
2 - What happens with the vote data as blocks are being built? So now this system has plaintext data in memory awaiting processing. Oops, power outage. Oops, software bug.
3 - Votebook does not solve the problem of properly, accurately recording the ballot as the voter cast it.
4 - Votebook will be cryto-based, necessitating further outsourcing our elections to vendors.
5 - I would never be able to explain how Votebook works to my mother (Jane average).
Not sure what this solves. I'm a huge proponent of Bitcoin/Blockchain, but how is this a better solution than say, one centralized national database?
Blockchains are useful in situations where centralized trust can't be established or would be less valuable. If you can't trust the government that's running the election process, how would a blockchain solve that?
Too many blockchain proposals just boil down to building a slow, expensive to maintain database.
Trust in the government is not a given. They must earn trust through public support, which is why propaganda and PR are such power government tools used to change what the public supports. With a blockchain, you don't have to trust the government at all, since it is public and very difficult to tamper with. If they do not comply with the outcome in the blockchain, the public outcry will cause severe upheaval. To not comply with less secure voting systems, they can just tamper with it to change the outcome.
You can fix that in other ways. Governments are inherently centralized. If you are voting, well that vote is meaningless without a government to enforce the results.
There are cheaper ways to get transparency than a blockchain I think.
The first clause of Design Considerations, "Although elegant and (thus far) invincible," shows a lack of understanding of currently possible and prior blockchain attacks.
This protocol allows voting any Voter ID multiple times. There is a significant window of time until one of the blocks containing the Voter ID/ballot ID Hash is added to the block chain. During this time, all Voter IDs in the prospective block may be voted multiple times. This can occur by making a copy of a physical voter ID and simply using it twice at relatively the same time - just not on the same terminal. The exploitability chance increases as the number of votes per block increases. The blockchain plus the union of all unsent blocks for all terminals, not a local database, should be checked for who has voted. This is compounded by not checking when the blocks are added to the blockchain.
Another issue with the local database, is that even if it is made to be a site database, many jurisdictions with early voting allow voters to vote anywhere, not just at their assigned voting location.
The selected candidates are not signed properly with a voter's key. There is no assurance that a particular voter actually cast a vote for a specific candidate and not, say, "Mickey Mouse." This is actually one of the purposes of smart cards and similar. Beyond any protocol issues, this is the central purpose of any voting system, to ensure that when votes are cast the voter id is redacted but that that voter id's candidate selection can be validated!
The Central Admin should release the list of the machine's public keys _prior_ to the election not _after_.
There really are a lot of security issues with this security design.
Background: I run a voting precinct in California and have for many years.
Paper ballots are really the best for these reasons:
1) Fits human time frame. a large number of voters make up their mind incrementally. They take the mail ballot and mark the offices/measures that they know for certain on. Come election day they show up at the precinct with almost everything filled out. They then sit down and decide for everything else.
2) Does not require good eyesight. Older voters, younger voters, what ever - a simple magnifier can easily be used. We have them at the polling place.
3) Voter can vote on issues nonsequentially. Voting machines present the issues in the order they are on the ballot - not the order that the voter wants.
4) Speed of voting: if a voter knows how they are going to vote they can fly through a ballot in a couple of minutes. Voting on a voting machine takes a minimum of 6. Add in all the back and forth on the screens and it is frustrating for voters.
5) Ability to handle crushload of voters: If I have a lot of voters ready to vote: I put them anywhere in the room I have a seat, flat surface and a pen. With electronic voting machines I am limited to number of machines.
6) requires no training: everyone knows how to use a pen. Computer program... not so much. And I am not talking about tech sophistication. Anytime anyone uses a new program they have to slow down and make sure they understand what is being asked and what are the choices.
7) clarity of errors and error recovery: if a voter knows if they marked a ballot ( with a pen - not the chad Florida ballots) incorrectly. Error correction is easy.
8) No electricity is needed. Paper ballots always boot up correctly.
-----------
Only reason for electronic voting is for sight impaired voters. And of the sight impaired voters, 100% seem to have solved the problem with mail in ballots OR bringing someone with them to the polling place. (In the 6 years i have run a precinct with upwards of ~2000 voters personally processed by me : about 6 have actually voted electronically)
--------------
If you want to solve the real problem, based on my experience:
1) same day registration/automatic registration
2) easy voting at locations near transit.
3) easy access to mail-in ballots.
4) no electronic voting - much faster to process voters with paper.
5) allow people to vote out of precinct. (don't require people to get home - make it easier for them to vote near where they work)
a real future voting system must work all time, on tons of simultaneous polls, be easily reachable by all world citizen via internet and must use p2p distributed technologies..
I was thinking the same thing. Glad someone is doing this, because the hope is obviously it'll massive increase the efforts anti-democratic individuals or orgs need to invest to determine the outcome of an election; which isn't all that high today.
Do you have any evidence of it being easy to influence the outcome of the election?
As far as I can tell there are a ton more exploits to be had, from less powerful (money, connections, etc.) people in an electronic system than in our current paper system.
Right now the only individuals who have massive influence on an election are the candidates themselves (and maybe some specific people on their team).
The next closest individuals are probably the extremely, extremely wealthy, and there aren't that many of them, and they don't even have as much power as you'd think.
I invented something like this myself that used a checksum based form of ensuring data can't be tampered with. The key point is that anyone can look up how it recorded THEIR vote without anyone else being able to. Uses a hash of social security number for that (plus other personal identifiers). Websites can be written to allow a simple form-based trivially simple gui that allows anyone to look up how their vote was recorded. There needs to be a way for people to post a 'protest' (saying vote was recorded wrong), and if there are statically enough disputes to change the outcome the election must be redone. But regardless blockchain or something using my checksum approach is the only solution. No paper chads or other technology will ever be trustworthy.
Pen & Paper will always be more trustworthy, transparent, and safe than any blockchain-bs.
Part of the reason is that to compromise a paper ballot you need thousands of corrupt volunteers (and if you can find them, you have much bigger problems anyway).
The other part of the argument is that the security isn't enough for a voting system. You need /obvious/ security, and a mathematical proof just isn't obvious enough.
Also: ethereum. And your system probably suffers from allowing people to prove who they voted for.
With all due respect the only way you could claim blockchain is not safer than paper is if you don't understand blockchain. With a large database that is distributed on 1000s of different computers (identical DB), everyone is free to analyze what happen and tampering IS IMPOSSIBLE. Blockchain is the only technology that is indeed hack-proof. Sure it can be incorrectly implemented, making it hackable, but the technology itself IS secure. If it weren't then hackers could just attack BitCoin and program it to say they have more money than they do. If you understand BitCoin then you understand how this is impossible. Learn what a distributed ledger is.
The "system" in blockchain is always a single database file (that changes over time) but that can be downloaded by anyone at any time, and it's history can be analyzed in private and in secret by anyone any time. It has a checksum at any point in time, so you can know for sure your copy has not been tampered with, or even write a web app to allow others to analyze it, and none of the analysis forces anyone to do anything. You are apparently very confused about how this technology works.
I'm very familiar with how blockchains work. But if you can verify your vote then I can tell you to prove to me you voted for the person I told you to.
Someone can also compel me to use my own password to log into my bank account and transfer all my money to them. Every new technology that has ever been invented has always had people like you who can think up highly statistically insignificant scenarios where the technology can be misused.
You think people being compelled to vote for a specific person is an unlikely event? Unions, employers, organised crime, parents, etc have all over the years tried to force people to vote a specific way. If voting is verifiable they can be successful.
Even with blockchain it would still be "secret ballot". Each person would have their own encryption key they use to lookup their own vote. No one could check how I voted unless I allow them to, just like no one can get into my bank account unless I allow them to.
If society decides the risk of these types of behaviors is significant they could pass a law making it illegal to ask someone how they voted. For those who would violate such a law even if it existed, they are by definition criminals, and already have the ability to tell you "Give me your banking passwords, or else". Blockchain itself won't cure all the problems with humans being criminals in this world, but blockchain itself DOES cure the problem of hacker-proofing voting data.
BTW: even if the blockchain data were totally held all within local governments only, it STILL addresses at least the problem of tampering at any level other than where the information is first collected. Even if the blockchain DB doesn't go as fine-grained as per individual it still "hardens the system" considerably from hackers, in a way that paper could never do, because recounts of paper is susceptible to human miscounts (both intentional and unintentional), and blockchain is absolutely not.
Voting is the way it is specifically to combat this problem. Your solution tries to fight against a problem that is basically impossible without systematic widespread corruption by opening it up to localized corruption which is historically common. You're solution doesn't make the situation better it makes it worse.
Anyhow if you can't understand why secret ballots exist after all that explanation I'm never going to be able to explain it in a way you understand so I think we're done here.
Our current voting system IS secret ballot, and IS also ALREADY based on computer DATABASES (not paper). You fail to realize that blockchain is basically just an encryption strategy for databases. It IMPROVES database security. It has absolutely nothing to do with whether votes are kept secret or not. It ONLY has to do with whether it's technically possible to tamper with the data or not.
Bottom line is: paper ballots CAN be tampered with (whether secret or public) but blockchain cannot. Got it now?
- Hack the voting machines to just turn on the "duress" mode for everyone, or do it just in the precincts that tend to vote for my opponent
- Use my great new paper receipt to prove I have voted for candidate A and collect my bribe as if the paper receipt doesn't encode the candidate it's useless. I don't care to verify if my vote was counted if I can't verify that it was counted for my candidate
- Hack the voting machines to record candidates at random ignoring the key presses, turning the election into disarray
- Selectively deny network access at polling places to create longer queues at the sites where my opponent is stronger
I'm sure you can cause a riot or two pretty easily. The fact that paper is dumb and paper elections use extremely simple technology, math and process is a feature not a bug.