How Can Ballots Be Both Secret and Fair?The secrecy of ballots would not be compromised if voters used some markers of their identity known only to themselves
In these times, that’s an important question. Last time, we asked readers to think about Alice and Bob, the famous pair in physics (used to demonstrate propositions) as if they were running for office. Bernard Fickser continues to think about that question at Expensivity:
To the question “How did you vote?” a friend of mine used to quip “By secret ballot.” My friend’s quip underscores the fundamental difference between the financial and the electoral context. Money in a financial ledger always has an explicit provenance. There’s a source for the money and a tracking history of how it ended in, say, the ledger of financial Alice. This is not to say that Alice’s ledger is an open book for everyone to see. But those who need to know how money got moved in and off the ledger, from bank managers to tax authorities, will have the necessary access.
By contrast, ballots cast in an electoral context need to be received from registered voters, but then must be rendered anonymous so that no one can determine who cast which ballots (actually, as we’ll see later, this assumption allows an exception: voters themselves will be able to track their own ballots). Thus, when a ballot assigns a vote to either Alice or Bob, it must conceal the identity of the person who filled out the ballot as well as provide a record that this person actually did vote. This bifurcation of identifying the voter as having cast a legitimate ballot but then separating out the voter’s vote is necessary for free and fair elections. Without it, voter suppression and intimidation become much easier. But with it, electoral security becomes more difficult, though not impossible, as we’ll see.
It is instructive to see what an election looks like in which voter identity is linked to rather than separated from the votes cast. We see these types of votes in the U.S. Congress or Senate, in which members vote for or against some proposition and their votes are explicitly tied to their names (thereby allowing us to hold our elected representatives responsible for the votes they cast). Suppose similarly, in the election between Alice and Bob, voters did not need to conceal their identities in how they cast their votes. In that case, the ledgers for Alice and Bob would contain not just the votes they received but for each vote also the name of the person casting the vote. All voters would therefore be publicly identified with the votes they cast.
This suggests that in the electoral context with secret ballots, there’s still another ledger that needs to be kept track of besides the ledger recording votes for Alice and the ledger recording votes for Bob. That third ledger is the ledger of registered voters, and it must be continually updated to keep track of who has already voted and who hasn’t. Moreover, it’s also necessary to ensure that ballots of those who voted and were authorized to vote get properly credited to Alice or Bob.
But since those ballots are secret, it is not permissible to list them next to their corresponding voters on the ledger of registered voters. So where do the ballots end up? They can’t just be thrown away or deleted because then there’s no way to confirm that the votes voters cast were properly assigned. Even in the absence of bad actors committing election fraud, the possibility of mistakenly mapping the votes of voters to the wrong candidate (i.e., the candidate not voted for) requires safeguards, and that means keeping the ballots, whatever form they take.
Things are simpler on the finance side. With financial ledgers at banks (leaving aside physical currency, which is playing less and less of a role these days), deposits and disbursements are just authorized changes in numbers on the bank’s ledgers. It’s all digital these days, and it amounts to just adding a number to a row and column of a spreadsheet (or, more precisely, to a suitable location in a database), a positive number for a deposit, a negative number for a disbursement. It’s a bit more complicated in that the authorization of those changes needs to be tracked and confirmed. But it isn’t much more complicated than this.
Because the ballots are secret, however, elections require not just a third but also a fourth ledger, namely, a ledger of ballots. At first blush, it might seem that such a ledger would be unnecessary. After all, aren’t the different ways of filling out ballots extremely limited? Valid ballots will either mark Alice’s name but not Bob’s, or Bob’s name but not Alice. Invalid ballots would mark both Alice and Bob’s names or neither. It would seem that there are just four possible groupings of ballots, and that within each grouping, the ballots are indistinguishable.
But things are not so simple. The ballots come in at a particular places and times. That needs to be noted, if only to ensure that ballots filled out by registered voters at certain times and places are properly tracked and free of irregularities. Moreover, even though a ballot, by being secret, will lack information to identify the voter to anyone but the voter, yet it could contain further information, such as time- and place-stamps as well as possibly information recognizable only to the voter.
The secrecy of ballots would not be compromised with voters using in their ballots some markers of their identity, known only to themselves. After all, if you cast a ballot, it is your ballot. If the ballot is cast by someone else in your name, it is still your ballot, and you deserve to challenge it and get it changed. And if a mistake was made in who your ballot voted for (e.g., you know you voted for Alice but you see that the ballot that’s supposedly yours is sending your vote to Bob), you should likewise be in a position to challenge it and get it changed. Such markers could empower voters to make such challenges and changes.
Finally, besides such informational markers included by voters in their individual ballots, the ledger of ballots, much as the other ledgers, could employ digital technologies such as error correcting codes and other data integrity methods (including full-fledged blockchains). As we’ll see, data integrity of the ballots, especially with hidden markers that allow voters to verify their individual ballots, contribute effective safeguards against election fraud. Indeed, with a sufficiently robust ballot ledger, an entire election could be reconstructed.
As will become evident in this article, the ballot and registered voter ledgers are where the most important action lies in securing elections from mistakes and fraud. Unlike the financial context, an electoral context with secret ballots has four essential ledgers rather than two (additionally, the ledger of registered voters and the ledger of ballots). That’s a significant difference, and it has deep ramifications for election security, requiring security measures unlike those required for financial security.
One final note about these four electoral ledgers (i.e., Alice’s voting ledger, Bob’s voting ledger, the ledger of registered voters, and the ledger of ballots): unlike financial ledgers, which are behind a “need-to-know wall,” these four electoral ledgers are all intended to be open books. In other words, the public, which is voting for candidates Alice and Bob, should have access to all four of these ledgers, being able to track the precise changes to them in real time. This is not to say that there can’t be encrypted information in the ballot and registered voter ledgers, but information in these ledgers, whether encrypted or unencrypted, must be made explicit and fully available, even if it can’t be readily interpreted (for the moment) because of cryptographic safeguards.
TERMINOLOGY: The word “ledger” is, properly speaking, an accounting term. So my use of the word “ledger” both above and below is a bit loose. What I’m calling the ledger of registered voters and ledger of ballots would, in an accounting context, be called a “journal” of registered voters and of ballots. The distinction between ledgers and journals in accounting is this: journals are books of original or raw entry in which data is first entered, ledgers then distill and process that information from the journals. The ledgers of Alice and Bob, in the electoral context, would thus be closer to financial ledgers, extracting votes from the other ledgers (journals) and crediting them appropriately to Alice or Bob. At the end of the day, however, all these ledgers are databases with entries and groupings of entries timestamped and protected by data integrity methods.
You may also enjoy our earlier story in this series:
How can we prevent financial or election fraud? Both contexts come down to an accounting problem, keeping track of money or votes over time. Let’s take two people, the famous Alice and Bob, used to demonstrate many propositions in math and science and think of them as candidates running for office.