In our current system, we use a system of transferring trust to create confidence in our election. First we assure votes are cast-as-intended, then collected-as-cast, and then finally tallied-as-collected, assuring end-to-end verifiability. A typical voter is only really involved the the cast-as-intended step. After that, they often trust the system to take care of the rest.
With SIV, voters get to check if their vote was tallied-as-intended after the results are published. On one hand, this is a great benefit to security. We can make sure that everything worked correctly from start to finish!
On the other hand, I find this a little concerning because of the timing. If something goes wrong, if votes were not tallied-as-intended, and we don't find out about it until after the results are published, then the results are going to immediately be called into question. This seems like an environment where disinformation could quickly spread and conspiracy theories could flourish.
Ideally, when the results are released, they should feel definite and final to the public. Therefore, I do not think it is ideal to wait until after the results are published to allow voters to verify that their vote was collected-as-intended.
Would it be possible to allow voters to verify their vote has been collected-as-intended prior to the election closing? Voters should not immediately see their vote show up publicly to prevent loss of anonymity due to the timing of it's appearance. But, perhaps we could decrypt and publicize batches of votes as they come in. We could then instruct voters to check the public record an hour or two after they vote, once the batch their vote was in has been added to the public record. This would allow more issues to be addressed before the election closes and the results are finalized.
SIV does currently provide a form of verifying collected-as-intended via the vote confirmation email. The issue is that the confirmation email is 1) relatively vulnerable to attack, and 2) is not the primary source. If the contents of the confirmation email and the published list of votes differ, then I would defer to the published list to know what votes got counted, because it is supposed to add up to the results.
In our current system, we use a system of transferring trust to create confidence in our election. First we assure votes are cast-as-intended, then collected-as-cast, and then finally tallied-as-collected, assuring end-to-end verifiability. A typical voter is only really involved the the cast-as-intended step. After that, they often trust the system to take care of the rest.
With SIV, voters get to check if their vote was tallied-as-intended after the results are published. On one hand, this is a great benefit to security. We can make sure that everything worked correctly from start to finish!
On the other hand, I find this a little concerning because of the timing. If something goes wrong, if votes were not tallied-as-intended, and we don't find out about it until after the results are published, then the results are going to immediately be called into question. This seems like an environment where disinformation could quickly spread and conspiracy theories could flourish.
Ideally, when the results are released, they should feel definite and final to the public. Therefore, I do not think it is ideal to wait until after the results are published to allow voters to verify that their vote was collected-as-intended.
Would it be possible to allow voters to verify their vote has been collected-as-intended prior to the election closing? Voters should not immediately see their vote show up publicly to prevent loss of anonymity due to the timing of it's appearance. But, perhaps we could decrypt and publicize batches of votes as they come in. We could then instruct voters to check the public record an hour or two after they vote, once the batch their vote was in has been added to the public record. This would allow more issues to be addressed before the election closes and the results are finalized.
SIV does currently provide a form of verifying collected-as-intended via the vote confirmation email. The issue is that the confirmation email is 1) relatively vulnerable to attack, and 2) is not the primary source. If the contents of the confirmation email and the published list of votes differ, then I would defer to the published list to know what votes got counted, because it is supposed to add up to the results.