March 20, 2018

Voting, Secrecy, and Phonecams

Yesterday I wrote about the recent erosion of the secret ballot. One cause is the change in voting technology, especially voting by mail. But even if we don’t change our voting technology at all, changes in other technologies are still eroding the secret ballot.

Phonecams are a good example. You probably carry into the voting booth a silent camera, built into a mobile phone, that can transmit photos around the world within seconds. Many phones can shoot movies, making it even easier to document your vote. Here is an example shot in 2004.

Could such a video be faked? Probably. But if your employer or union boss threatens your job unless you deliver a video of yourself voting “correctly”, will you bet your job that your fake video won’t be detected? I doubt it.

This kind of video recording subverts the purpose of the voting booth. The booth is designed to ensure the secret ballot by protecting voters from being observed while voting. Now a voter can exploit the privacy of the voting booth to create evidence of his vote. It’s not an exact reversal – at least the phonecam attack requires the voter’s participation – but it’s close.

One oft-suggested approach to fighting this problem is to have a way to revise your vote later, or to vote more than once with only one of the votes being real. This approach sounds promising at first, but it seems to cause other problems.

For example, imagine that you can get as many absentee ballots as you want, but only one of them counts and the others will be ignored. Now if somebody sees you complete and mail in a ballot, they can’t tell whether they saw your real vote. But if this is going to work, there must be no way to tell, just by looking at a ballot, whether it is real. The Board of Elections can’t send you an official letter saying which ballot is the real one – if they did, you could show that letter to a third party. (They could send you multiple letters, but that wouldn’t help – how could you tell which letter was the real one?) They can notify you orally, in person, but that makes it harder to get a ballot and lets the clerk at the Board of Elections quietly disenfranchise you by lying about which ballot is real.

(I’m not saying this problem is impossible to solve, only that (a) it’s harder than you might expect, and (b) I don’t know a solution.)

Approaches where you can cancel or revise your vote later have similar problems. There can’t be a “this is my final answer” button, because you could record yourself pushing it. But if there is no way to rule out later revisions to your vote, then you have to worry about somebody else coming along later and changing your vote.

Perhaps the hardest problem in voting system design is how to reconcile the secret ballot with accuracy. Methods that protect secrecy tend to undermine accuracy, and vice versa. Clever design is needed to get enough secrecy and enough accuracy at the same time. Technology seems to be making this tradeoff even nastier.


  1. Easy: place a metal detector/xray at the entrance to the voting booth and require voters to leave their metal objects, such as cell phones, outside.

    Of course this will increase the price of voting technology.

  2. Piece of cake. The voter:

    1. Goes into a private booth
    2. Fills out a paper ballot by hand (or uses a touch-screen computer that prints out a paper ballot)
    3. Slips paper inside envelope and seals it
    4. Leaves the booth (If they were using a camera at this point, elections officials would notice)
    5. Drops envelope into a box

    If they were recording, they would have to turn off the camera before Step 4. But once the camera was off, they could tear up their ballot and start all over.

  3. As I mentioned before, our old-fashioned switch-and-lever machines are partially immune to vote-filming, because the lever that commits the vote also opens the curtain.

    To film the actual commitment, you must be holding a camera when the curtain opens. If this is illegal (it seems to be, in some states) then this could be a deterrent.

    Of course, this requires reasonable vigilance on the part of election workers, the ability to spot the camera, and the voter’s knowledge that it is illegal, if it is illegal.

    I think this is a better type of solution than arranging some cryptographic ballot cancellation scheme—especially because cryptographers already have a laundry list of goals to meet and still have a usable system. To prevent filming, we should design balloting so that the voter enjoys complete privacy up until commitment, but the vote commitment step is too visible to covertly film.

  4. Mike’s suggestion above is exactly what I meant in my comment to your last post. This solves the problem of secrecy in the booth on voting day. All that’s needed is to:
    a)provide possibly more than one ballot and envelope
    b)make filming in voting place illegal and passable of fine or something else.
    c)enforce b) outside the voting booth
    d)check the identity of the voter twice instead of once, i.e. once at arrival to make sure that the person is allowed to vote and another time when the voter drops the ballot in the box so nobody gets back in line and deposits some of the extra ballots he brought.

    This only solves the problem of small portable video cameras, but not the problem of mail-in votes or e-voting.

  5. The voter has a right to do stupid things with a camera phone, just as he has the right to tell anyone who he voted for.

    There’s a better solution.

    On an electronic ballot, you have three screens.
    1. Check boxes for the categories
    2. A confirmation page. You voted for x y and z. Confirm or back.
    3. Thank you for voting (no statement of what you voted for)

    This way if you make an error, its easy to go back and correct it. And if you need to take pictures, they’re easy to fake. You vote “right” the first time, back up and then vote your way.

    This doesn’t solve the video problem, of course.

  6. I agree this is hard, but there are solutions. One idea for multiple ballots, one of which is real, is to come up with an set of ordinary words, one of which you are highly likely to remember is the “true” word. You go to an election office and ask for a real or fake ballot. Real ballots have a removable “real” sticker on them. You remove the sticker in the presence of the worker, and mark the ballot with a colour marker. You put a different colour on other fake ballots. People only getting one real ballot get a random colour on it so reals and fakes can’t be told apart.

    Of course there still has to be a way the counters can spot real from fake, which would involve a cryptographic secret which must be kept secret both before and after.

    Then mail in the real ballot and also mail in fakes, as needed to trick vote buyers.

    I think this can be done. Fortunately it does not have to be all that common. Only people who are being asked to sell their votes, and who don’t want to report it to the police but want to trick the vote buyer need to engage in such activity. And more to the point, all that’s really required is that vote buyers know that vote sellers can undetectably trick them.

    Which brings up another point however. Asking for fake ballots is sort of akin to saying, “I’m involved in a vote-buying conspiracy, but I’m trying to trick the buyer.” I think even that’s illegal, and not reporting it is illegal.

  7. Four responses:
    1. Sealing the ballot in an envelope, and then depositing it in public view, seems like an excellent deterrent.
    2. People could be frisked and relieved of any cameras or other gadgets during voting, collecting their things again on the way out. “Check your coat; turn out your pockets; OK, we’ll keep these safe for you.”
    3. Asking for fake ballots would not be akin to saying you were in a vote-buying conspiracy. It could instead indicate you were being subjected to coercion, and reporting it might be a bad idea.
    4. If it really comes down to it, you should probably just give your boss the finger and a “Well, then, I quit!” if he insists you prove your vote to him anyway. Who wants to work for a sack of s#!+ like that anyway? 🙂

  8. V,

    The problem is that a camera phone can make a video clip of the vote, not just still images. So you could take video of the whole process from selection to confirmation.

    The way around this is to engineer the final commitment step so that it can’t be covertly filmed at all.

  9. Ned Ulbricht says:

    History teaches us to beware vote-extortion, as well as less direct forms of voter intimidation, coercion and pressure.

    Although we might often use vote-selling as a euphemism for vote-extortion—because the attacks and defenses are similar in many ways—there are some differences. Vote-selling, while offensive, is not the capital offense.

    The distinction between weak and strong secrecy lends a gloss of black-and-white to a continuum filled with grey. A medium level of secrecy might be one that allows a coerced voter to claim that the disclosure procedure was too complicated to execute, or to plausibly deny that they intended to get caught.

    Finally, we must also remember the history of violence which has kept voters away from the polls altogether: We might overspend on protecting a free choice at the polls, while remaining wilfully blind to an armed blockade surrounding the polling place.

  10. what about an encryption scheme? enter a password and the machine prints out an encrypted key for the candidate you voted for. without decrypting the return code theres no way anyone could tell who you voted for.

    and you could also use the key to verify that your vote got counted correctly. log on to a electoral website, enter your name and password and the key would get displayed.

  11. Using a fake ballot seems to be participating in the vote buying conspiracy. You’re trying to trick the buyer/extorter, but you are participating when your legal duty, like it or not, is to report them. We could change the law in this case if we had a good fake ballot scheme, but at present it is my belief that it would be illegal to know of vote buying/extorting and sit silently by.

    Polling station systems that allow a do-over do not require knowledge of a vote buying system. They are more secure too, except from the video camera. And alas, the lever that votes and opens the curtain is not enough protection, since even if you put the camera away, the audio recording (or video from on belt or in handbag) is sufficient to assure you didn’t fake pulling the lever and re-set things.

    Of course even fake ballots don’t defend against vote stealing, as is done when somebody takes 100 mail in ballots from patients at a nursing home. We are not ready to officially remove the franchise from the mentally infirm, though in truth we probably should.

    Vote at home has many big positives — the polling station system in the US with its long lines, elections on workdays with no mandatory time off, etc. causes many people not to vote. But it does destroy the strong secret ballot.

  12. Anthony Scian says:

    Is it possible to design an electronic screen that is visible to human eyes but shows up as random pixels to a large subset of phonecams/digital cameras/video camera? It would seem that those 1990’s era 3D images would be one (albeit poor 🙂 example, i.e., something that exploits a quirk in the brain’s visualization that is invisible to recording.

  13. Could such a video be faked? Probably. But if your employer or union boss threatens your job unless you deliver a video of yourself voting “correctly”, will you bet your job that your fake video won’t be detected? I doubt it.

    The same technology provides a mechanism to catch your employer or union boss making threats and publish some nice video evidence that nails them to the wall for illegally attempting to pervert the outcome of an election.

  14. Jim Lebeau says:
  15. Ned Ulbricht says:


    That’s some perspective.

    Mr. Adams proposes that we should surrender the deciding factor in every close race to a small, select cabal of unelected, unaccountable, corrupt king-makers.

    There is, of course, historical precedent for that. It’s a profitable racket.

    There is also some historical precedent which suggests that, in the long run, it’s wise to provide those unelected, unaccountable, corrupt king-makers a fair, public trial by jury. And, upon conviction beyond reasonable doubt, subject them to full penalty of law.

    I’m afraid there are some other, darker —bloodier— historical precedents, as well.

    As a cartoonist, Mr Adams should perhaps be forgiven his natural shallowness. Tho’ I do fear he’s much too gauche to attain the world-class style of a Marie Antoinette.

  16. “Vote at home has many big positives — the polling station system in the US with its long lines, elections on workdays with no mandatory time off, etc. causes many people not to vote.”

    There are other ways to fix that, such as by holding polls on Saturdays or even Sundays and increasing the capacity. With the obscene amounts of money that swirl around elections in the US, surely *some* can be diverted to improving the polling experience? Alternatively, election days can be made local holidays. While you’re at it, why not throw in various celebratory and civic activities? Elections then become significant cultural events, surrounded by a “hooray for democracy” attitude and things to remind people why the system exists and what everyone stands to lose if something goes wrong with it or people just don’t get out the vote. You might increase turnout and boost civic spirit and awareness to boot. (Some emergency workers would have to work, as well as the actual poll workers and the media. Such workers would have to get the morning or afternoon off, during which they could vote, so they’d work in two shifts. This also applies to customs agents and the military, wherever they’re guarding a border or watching a radar screen; it wouldn’t do for election day to become invasion day because it’s easy to catch the US with its pants down that day.)

    Of course, certain powers would never permit something like the above; too much danger of significant numbers of people starting to take all that democracy, free speech, and voting stuff seriously instead of remaining jaded, cynical, and semi-apathetic. 😛

    Canada’s elections seem to be somewhere in between — voting is quiet and without fanfare or civic celebrations, but it is also not crowded or slow due to insufficient poll stations/workers. And it’s hand-marked ballots, without any of this Diebold crap. The concession to the disabled seems to be to put polling places physically in or near every retirement home and hospital they can find, and then plug in any geographic gaps. 🙂

  17. One of the technologies I’m looking forward to is always-on, wearable video/audio recording systems. You will have a complete record of every moment of your life, indexed and searchable. Forgetfulness will be a thing of the past. Disputes over who said what and when can be settled amicably. You’ll be able to replay and review key moments of your life at will. It will be a revolutionary technology and there is a lot of work going on in this area – one of the pioneers is Gordon Bell. Here’s a short article on the concept:

  18. An idea on solving the vote-by-mail secrecy problem: in the states I’ve voted by mail, the voter already has to sign and date the outer envelope. What if we add a third field, a ‘sequence number’, and the only vote which counts for person X is the one with the highest sequence number? The convention would be that you choose a random sequence number.

    If someone forces you to vote, you fill in a random number; you then vote again, using a higher number. If they don’t let you choose your number but you do know which one they use, you’re still fine. If they choose one, then you have to make some guess as to how big a number they’d use, and choose a bigger one.

    This would also let you change your mind after voting but before the final deadline.

    It’s not perfect — if someone else fills out your balot, you don’t know for sure you can override; if someone knows how you already voted and can force you to vote again without any time available afterwards to fix it, you’re out of luck. Given that it may not be worth the complexity.

  19. The system Mike describes is more or less how it works here in Norway.

    We also have early voting, but it’s not in the way of mail-in ballots (atleast nor directly). Instead, for the weeks leading up to the election, each city has a (or several) voting place set up. You vote as you want secretly as on election day, but instead of putting your ballot in a box, it’s put into an envelope as for mail-in ballots.

    This used to be done at the post office, but since they have been privatized and downsized, it was shifted over to libraries.

    In my experience, it works well (as does the regular paper-based election, despite some overly complicated algorithms to decide who wins seats in parliament).