> "Although it would be informally apparent that something had gone wrong..."
ie, there's a spectrum of voting attacks. Ballot stuffing is more powerful than ballot burning. If you can target specific districts or voters, then ballot burning can have the same effect on the overall outcome, so it is still incredibly serious, but just takes extra work. This is ballot burning.
> "it seems that our exploit would put the system in an “impossible state”, which would make it difficult to define a meaningful investigation process."
If I'm reading this right, ballot burning itself might have two subtypes -- invisible and leaving big messy scorch marks. This is the latter type. Still serious, but different. You could DoS an election's integrity, forcing emergency runoffs or stalling out democratic processes, or forcing a failover to legacy systems that might be easier to launch higher level attacks against.
This will probably add to the antipathy against electronic voting systems, but I don't blame Scytl-SwissPost for trying. Our current system features disappearing ballot boxes, local level ballot design flaws, and relies on the postal system for absentee ballots. Whatever the mix of media, part paper or electronic, we need to be working towards something more cryptographically sound.
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
I do.
> Our current system features disappearing ballot boxes, local level ballot design flaws, and relies on the postal system for absentee ballots.
None of these are fixed by electronic voting.
They are fixed by fixing them.
But we have different takes on how to solve those problems, so I want a shot at clarifying my position, and I'm genuinely interested in what your (nonelectronic) solutions might be.
The problems I pointed out are the sort of problems that stem from requiring that we trust untrustworthy third parties. Now, it's not like USPS is nefarious, just that they sometimes lose or misdeliver letters without informing the sender. Local officials who manipulate vote counts by losing boxes or prefilling absentee ballots... well, less innocent.
If you're talking about ensuring the integrity and availability of information, or controlling who can see or alter it, you're really talking about a problem in cryptography.
"Fix this by fixing them"
We certainly wouldn't have these problems if we could just demand that everyone engage in trustworthy behavior. That's always true for problems in information theory, or cryptography more generally. And we should back any framework with a strong legal framework to punish manipulation of elections. Vote tampering is illegal, but we should make sure those laws are effective.
More generally though, if we could just rely on "demand all parties are trustworthy" as a cryptographic primitive, then all protocols would be trivial.
Imagine if the typical take on electronic voting was applied to any other area of cryptography.
"I don't trust encryption schemes unless they are done on paper and administered by my local government!"
It would sound odd, right? Why this one?
I think we got here as a community as a reaction to governments and equipment makers like Diebold making claims about electronic voting that sounded like they believed in or were lying to the public about perfect security. Obviously anyone claiming their system is unhackable is trying to con someone.
On the other hand, distributed paper voting as a protocol has a ton of failure points too. And (electronic) cryptography could help with some of those issues. (You don't have to go all electronic. You can keep paper for some parts of the process where paper works best.)
So I've come around to a third way. We need to get past "paper is the answer" or "electrons are the answer" and get to a place where we are honest about the flaws in all systems, we lay out the properties of elections we want to safeguard, and figure out the best protocols and mediums and even UX to get us there.
Seriously though, if you have good incremental ideas for fixing how we do absentee ballots, I'm definitely open to hear more good ideas. And we'll definitely want small steps, rather than diving into any radical changes that suddenly break the system.
