Hard to tell whether *other* voters are verifying

[dsernst]

This is a common complaint people bring up:

Well sure I can check my vote, but what about everyone else?

Some mitigations:

• Rigorous independent post-election RLAs https://docs.siv.org/verifiability/rla
• Integrated way to track how many voters verify their vote
• Large $ reward (cryptographically-enforceable) for reporting vote lost — everyone can see whether it's been claimed or not: https://docs.siv.org/research-in-progress/automated-reward

---

For that 2nd one:

Track & show how many voters verify their vote

It could help communicate better verification if we automatically had clients confirm their Verification #s were in the decrypted vote list, and report their success back to the API.

This could have a few benefits:

1. It could be advertised to everyone on the Election Status page X out of Y (Z%) have verified, all updating in real time. This could reassure people about the final results, rather than currently assuming that no one is checking.
2. We could show the Admins specifically who has verified or not, e.g. adding another column to the Voters table that gets checked off as they open the status page.
3. If for some unforeseen reason any of the Verification #s do not show up in the final unlocked list, we (SIV) absolutely want to be alerted. There's no reason this should happen, and we definitely need to know!

Steps to implement

• [ ] The Election Status page needs some new code to detect that the current browser has vote data for that election in LocalStorage.
• [ ] We probably want to check the vote itself was submitted before the Unlock began (right now we're only storing when the Unlock ends, not when the Shuffle stage begins), to avoid creating false negatives if the voter submits late.
• [ ] If we want to tell the admin who verified, we need another secret credential only they would know. The auth tokens are no longer useful at that point, since they've been published already. We could have the voter generate a KeyPair when they submit their vote, telling the admin their PubKey. Then at Verification, they could sign I verified, using their private key. Could use encrypted vote data as a pub key, randomizer as priv key, as described here

[dsernst]

One issue w/ this if we totally automate the check is that people won't really understand how the check works, or what it's really doing, or if it can be trusted.

Another variation on the UI, is that we could provide a big button { I Checked My Vote }, for voters to manually click on the Election Status page, and report up to the API if/when they hit it. Then people would have a much clearer sense of what the # checked represents.

[dsernst]

Best of all would be separate Anti-Malware Codes: How Voters Can Prove They Confirmed Their Vote. But that requires distributing via paper invitations pre-election.

[dsernst]

In terms of reporting these stats — publicly, and to admin, what I'd like most is:

Collect all 3:

1. Has Voter A opened the election status page? (automated check described in original issue description)
2. Has Voter A clicked "I checked my vote" button? (manual confirmation described in 2nd comment) unfortunately on-device malware could fraudulently activate it too
3. Has Voter A entered anti-malware codes? Best of all, bc it's malware-resistant, but requires more prep and work to carry out.

Then in terms of reporting, the UI could show all 3 numbers:

1. x of n voters opened
2. y of n voters clicked "Confirmed"
3. z of n voters entered their Anti-Malware code

And really Anti-Malware Code isn't a simple binary, but is actually meant to be entered using a separate device (whole point of them is to assume first device is compromised), so could get even more nuanced with how many different codes + devices voters confirmed with...

Public or private?

And then there could be a separate option for Admins to enable whether these stats are private only for them to see, or visible for everyone to see on the election status page.