Scratch-off tricks that work and do not work

A security hole in the Rivest 3ballot and related ideas for low-tech secure voting is that voter could remember all three ballot numbers on the 3ballot that she cast. Then, quickly, before those ballots could get posted on the bulletin board, she could run to the vote-buyer and tell him the ballot numbers and the vote-information she wrote on those ballots. The vote-buyer would then wait until that stuff appeared on the bulletin board and be so impressed by the voter's ability to predict the future, that he would pay her for her vote.

This could be discouraged by making the ballot numbers be long, hard to remember, and really not a "number" but rather a "barcode." However, these discouragement techniques are merely discouragement techniques and not a full cure. And indeed if the voter had a camera she could photograph her 3ballot and then show the vote-buyer the photos, in which case the limited memory capacity of human beings would be irrelevant.

A genuine cure is the following idea. Have the ballot numbers on all the 3ballots (including the copy) be initially covered by that opaque lotto-scratch-off stuff. 3ballots are only accepted by the checking machine if the opaque stuff is still there (i.e. not scratched off). The voter later scratches off the stuff on her take-home-copy, reveling its ballot number. And the government scratches off the stuff on all their three copies before posting on the bulletin board.

To do this you would need something like this:

Ballot #1
Copy #1
(i.e. each ballot is joined by perfs to its copy-in-waiting) and the checking machine checks that your 3 ballots are correctly and consistently filled out, your selected copy is also, the opaque stuff is not scratched off, and your two unselected copies (or at least just the part of them that contains their ballot numbers) are visibly destroyed.

What sounds like a flaw in that idea is that the printer of the ballots could have been cheating. How does the voter know that her copy's number agrees with the original's number, if she did not see them both at the same time? Well, this does not matter in the sense that the voter would still be able (in the event of such a cheat) to prove that cheating happened by saying "Hey! I do not see my official-copy on the bulletin board!"

However, it does matter in the lesser sense that at that point, we could not identify who the cheater was – was it the talliers or was it the printer? Each could blame the other to try to escape punishment. And that is a slight flaw, in the sense that it would be better if we knew who was the culprit.

I do not actually consider that a very serious flaw in the sense that if the cheater were the printer, then (if it cheated to a large enough degree to make an impact, e.g. messing up 1% of the ballots) then with the plentitude of unused ballots left over after the election (it being necessary to order overstocks since it is not known how many voters will come) the courts could then examine them, scratch off the stuff, and reveal the numerous cheats by the printer to prove it was the printer. If this failed to produce such a proof, that would essentially be a proof that the cheater really was not the printer. To make this work, though, it would be essential that the ballots get consumed in fairly random order, or that random holdout samples are extracted by the government from each ballot box. Otherwise the printer could only fake the first box of ballots (which they were confident would be 100% used up by voters).

Return to main page