(Recently, we’ve been asking readers to think about Alice and Bob, the famous pair in physics used to demonstrate propositions in a variety of contexts but, just for now, let’s look at how Alice’s vote might be stolen, as opposed to funds from her account being stolen. What would help prevent that? This is Bernard Fickser’s view:)

The role of the voter in the electoral context has no parallel in the financial context. As a result, a significant difference exists in the roles of financial Alice and Bob versus electoral Alice and Bob. In the financial context, Alice, Bob and others like them (Carol, David, Earnest, etc.) are financial agents that consciously move money, or capital, among themselves. In the electoral context, all capital consists of votes and arises from voters casting their ballots for Alice or Bob.

Unlike financial Alice and Bob, who move money around, it’s not for electoral Alice or Bob to move votes around. Rather, their overriding concern should be to make sure that votes for either of them get properly counted.

So, in trying to secure Alice against electoral fraud (and likewise Bob), let’s start by asking what should go right as voters cast their votes. Ideally, all voters should be properly entitled to vote, no voter should vote more than once, all ballots should represent votes by legitimate voters, all ballots should be unambiguous in who they voted for, all tallies (intermediate and final) of votes for candidates should be accurately computed and accurately assigned, and the real-time tallies for any candidate should be, as mathematicians say, “monotonically increasing,” in other words, they should, like a ratchet, keep going up and up. If a vote tally at any point goes down, subtracting votes from a candidate, that will need to be duly noted and will represent a mistake that needs to be fully accounted for.

Given this list of desired features for a fair election, let’s now turn the question around and ask what could go wrong to prevent a fair election. In answering this question, let’s be clear about the different actors in play.

There are Alice and Bob, who by the time that ballots are cast will be largely finished with campaigning and should have little more to do than sit back and await the outcome. There are the voters, who now need to decide the election with their ballots. There’s the election commission, which is supposed to make sure that the will of the voters is accurately represented by duly securing the ballots cast and correctly assigning vote tallies to Alice and Bob. There are the poll watchers and other independent parties interested in monitoring the election and ensuring a fair outcome. And then there are the bad actors, who need not be mutually exclusive from any of the above, though they may also include additional players (e.g., foreign governments).

What are the different types of bad actors who commit election fraud? Bad actors can include individuals who are not entitled to vote but who nonetheless cast ballots that get counted for Alice or Bob. They include voters who are entitled to vote, but who vote more than once for Alice or Bob (perhaps by being registered to vote in more than one state and by voting in different states if the election between Alice and Bob is a national election). They include more ambitious criminal enterprises that somehow manufacture votes en masse and get them credited to their preferred candidate. And they include an election commission that is lax, whether on purpose or by incompetence, or simply corrupt, whether enabling other bad actors to fraudulently influence the election results, or even actively engaging in the fraud itself. A fraudulent election commission is a classic case of Quis custodiet custodes? or Who’s minding the minders?

Given these different ways that election fraud can arise, what security precautions should be in place to prevent or at least limit it? Here are some recommendations. They provide a springboard to the Cryptosecure Election Protocol the be outlined in the next instalment:

Maintaining a clean ledger of registered voters. There needs to be perfect clarity about who may legitimately vote and who may not. The ledger of registered voters needs to be fully specified and publicly available. It must be regularly purged of people who have died or otherwise lost their qualification to vote. The ledger must also purge any duplicated references to the same person. Finally, it needs to disambiguate different individuals with the same name.

Qualifying to get on the ledger of registered voters. Only people legitimately entitled to vote should be able to register to vote and thus get their names to appear on the ledger of registered voters. There’s a need for balance here so that the requirements to register are not so arduous as to discourage voters (voter suppression) but also not so lax as to allow unqualified people to register.

Noting who voted. When someone casts a vote for Alice or Bob, that fact should be immediately noted next to that person’s name on the ledger of registered voters. It needs to be clear who voted and who didn’t.

Verifying who voted. At the same time that someone casts a vote for Alice or Bob and that vote is noted on the ledger of registered voters, it also needs to be verified that the person who voted is indeed the person on the ledger whose name is being checked off as having voted. The verification procedure for verifying that the person voting corresponds to the person said to be voting needs to be highly reliable but also not so arduous as to discourage voters.

Nevertheless, if someone shows up to vote, claims it is for the first time, but is refused the opportunity to vote because the ledger of registered voters shows that the person did already vote, there has to be a way for this voter to challenge the existing vote that was cast in his or her name. If the challenge fails, it needs to be because the voter making the challenge already voted or is not in fact the voter that he or she claims to be. If, on the other hand, the challenge is legitimate because the actual voter was impersonated, it should be possible to invalidate the earlier fraudulent vote and validate the vote by the actual voter.

When someone votes and the vote is noted on the ledger of registered voters, what happens to the ballot casting the vote? Ultimately, the ballot belongs to the voter. So data integrity methods should prevent the ballot from being changed or tampered with once it leaves the hands of the voter and is delivered to the election commission for counting. In particular, all those ballots should be preserved. It should be clear if any ballots have been lost, and, if so, how many. The ballots should include date and time stamps, as well as crypto-secured identifying information from voters, who with this information should be able privately to identify whether their ballot was indeed lost or tampered with. Moreover, it should be clear for any ballot which vote it corresponds to on Alice’s or Bob’s ledger of vote tallies. Finally, for any vote recorded on Alice’s or Bob’s ledger, it needs to be clear whether it corresponds to a preserved ballot or a lost ballot. The desired items described under this bullet point may seem unrealistic, but they are in fact workable.

Enforcing transparency of the electoral process. Poll watchers and independent parties, whoever they are and without restriction, should be able to scrutinize any aspect of the electoral process, subject to the one condition that voters must be able to vote for Alice or Bob without divulging their identity. Everything else in the electoral process should be open to scrutiny. It must be possible to track vote totals on Alice’s and Bob’s ledger in real time, and there must be a clear chain of justification any time votes are added to, removed from, or transferred among these ledgers. The ledger of registered voters, especially as “check marks” are put next to names of people said to have voted, must also be open to inspection in real time. And most importantly, the ledger of ballots needs to be open to scrutiny, with any tampering of or losses to ballots being instantly chronicled.

With all six of these bullet-point recommendations for ensuring a fair election between Alice and Bob, data integrity methods need to be used throughout. Elections happen in time and over time, so there is always a history. All four of the election ledgers (of Alice, of Bob, of registered voters, and of ballots) are built over time. Every addition, subtraction, and edit to these ledgers happens in real time and needs to be noted. Data integrity methods make sure that anything recorded on any of these ledgers at one point in time is faithfully preserved at a later time.

Next: Developing a cryptosecure election protocol

You may also enjoy our earlier stories in this series:

What if voters could sue for lost or altered ballots? Let’s look at the difference between what happens with financial fraud and electoral fraud. With financial fraud, the bank must make transactions good. With electoral fraud, the voter is, by contrast, just out of luck.

How do we know financial transactions are honest? Let’s look at the steps we can take to find out. Let’s ignore microthefts, in which fractions of pennies are skimmed off an account at every transaction—almost unnoticeable—what about the big stuff?

How can we prevent financial or election fraud? Both contexts come down to an accounting problem, keeping track of money or votes over time. Let’s take two people, the famous Alice and Bob, used to demonstrate many propositions in math and science and think of them as candidates running for office.

and

How can ballots be both secret and fair? The secrecy of ballots would not be compromised if voters used some markers of their identity known only to themselves. Fickser: If you cast a ballot, it is your ballot. If the ballot is cast by someone else in your name, you deserve to challenge it and get it changed.