Last week I presented a paper at E-Vote ID: “Revisiting Silent Coercion” — This was joint work with a large team, and it took years. While I presented it and all of the authors had significant contributions, Jeremy Clark deserves the most credit for getting this paper published. 🙏
The paper explores “coercion” (vote buying, forcing someone to vote the way you’d like) that is “silent” (voter doesn’t know about it).
I find the term “silent coercion” misleading, but our adversarial model maps directly to this pre-existing definition in the research literature 🤷. Unfortunate!
You should think about this very actively (e.g., extreme voter coercion), because what we are talking about is roughly equivalent to the adversary being able to lock you up for the entire voting period, walk you to the voting booth, have you vote as they intend, then keep you locked up until the election results are finalized.
While perhaps not realistic, a version of this exists today and has throughout history. Governments regularly lock up activists for causes they do not like and, often, they do this strategically around elections to influence the results.
In the photo, you see suffragist Helena Hill looking out from her cell when the US government was doing this to suppress the women’s suffrage movement. From the collections of the Library of Congress.
In the context of internet voting, what we mean by “silent coercion” is that a valid voter loses control or access to their voting credentials. This can happen either during or after the registration process.
The adversary can compromise everything after the voter loses their credentials (Ballot selection, submission, verification, etc). Neither industry or the research community has historically had great approaches to solving this problem, and you can do attacks like this at scale when voting online with malware and other methods.
When we have hacks for internet banking or anything else we do online there are possibilities to recover. Voting is not like that. You do not get do-overs when running elections.
This problem is why internet voting is a bad idea.
When you boil this problem down to its essence, basically the system cannot tell who is the voter. At first, it may seem like we can fix this pretty easily. For example, the system can tell the voter if their credential has been used and we can use that to create a recovery mechanism.
That is easier said than done in practice. If a voter detects it before the election ends, we can allow re-votes, but if we do that we also allow adversaries to do impersonation revote attacks without a strict, costly, and time consuming verification process.
If the voter detects after, there is less we can do short of opening the election back up for that voter. Remember: voters can be malicious too, especially if they want to cast doubt on a result they do not like!
So we are left in a situation where we have exposed a pretty nasty fundamental limitation of any voting technology where the voter can know they lost credentials and all the power rests with the adversary, BUT...
Thinking back to our extreme voter coercion scenario with grandma locked in prison for the entire voting period....She can ALWAYS send a signal!
Not sending a signal is also a signal! We see this in the modern world with warrant canaries!
My favorite example of such signaling happened during the Vietnam War, where they unwittingly filmed Admiral Jeremiah Andrew Denton Jr. spelling TORTURE in Morse code with his eyes while he was a prisoner!
With this signaling insight in mind, we designed an overlay system that can work with other digital voting systems that lets you detect and nullify (sabotage) your own vote when you leak your voting credentials. After the election, we expose only the aggregate number of nullified ballots and the change in the election results so anyone sees how the election may have been manipulated.
By Gibe, CC BY-SA 3.0, Link
We also allow for you to partially trust a “hedgehog” (something prickly and hard to threaten) to give them a key to nullify a vote “one-way”—meaning the nullification key only allows them to see and nullify when a vote has been cast against your intentions. For example, if you want to vote for “chocolate”, you can give only the “vanilla” nullification key to the hedgehog. If they see a vote from you for vanilla, you trust them to submit the nullification for you.
Considering these features you might ask if, instead of nullifying, can we “flip” the votes? This might be useful in situations where the adversary is your husband and wants to be sure your vote their way, so you can do it their way first, then flip it.
You COULD do this, but remember the adversary has all your credentials as well, so they can flip your flip. Mathematically this devolves into a scenario equivalent to nullification and you would no longer get a reliable metric of how much coercion may have been attempted during the election.
One last point is that nullification happens to be resistant to malicious voters as well. If they vote the way they intend, nullifying increases the spread on how badly their candidate lost the election. If they vote for the other candidate THEN nullify, it makes it look like their candidate is the coercer. Also, since there’s a measure and impact on results, we can make a rule the lawyers like with flexibility and interpretation to invalidating the election as well.
There is a lot more discussion about these issues in the paper, which you should read! We wanted election officials to read and understand it so we took a lot of time to make it accessible to non-techies.
Paper: https://carback.us/rick/papers/revisiting-silent-coercion.pdf
My Slides: https://carback.us/rick/slides/revisiting-silent-coercion.pdf
The full proceedings: https://doi.org/10.1007/978-3-032-05036-6