Internet Voting


Internet Voting is not so much a voting method as an election method.

I know I’m not the first to try this, but I think I’ve come up with something new - or at lease something that I haven’t heard of yet, and I would love to get feedback from people like you who have been in this game for a long time.

Please check it out and provide your feedback.


Thank you, Glen



But with STAR voting you should use 0-9 instead of 0-5 for many-candidate elections, to reduce the amount of times you are forced to give two candidates the same score


Getting something like this to work would probably be a prerequisite for the sort of Direct Representation Scheme @waugh and I were discussing in the Multi-Member threads.

However, I do have one concern. One of the features you tout is that people can verify that their vote was cast and counted as they had intended. A concern I have with this is that it could lead to vote buying or intimidation. Right now, there is no way to prove that your vote was cast in a certain way. While there are many downsides to this, one of the advantages is that your boss cannot tell you “I want to see you vote for these people, and I want the proof, or you’re fired.” We had a thread criticizing IRV with complete published rankings for having this problem, so for consistency’s sake I thought I should bring it up here.


I knew you guys would have some great input.
I hadn’t thought of that.
I think it would be cool to see your own vote, but now I can see how it would possibly be used against you.

I’ll take that out.

Thank you… Anything else???

Your feedback is so appreciated.

Do you think that having to burn a cd or load a program on a USB would be too much to ask of voters from a tech standpoint?


Great feedback.

Why not go 0-10 with all votes below 5 counted as NEGATIVE VOTES. Would that be possible?

With a system like that you could rank your level of revulsion as well as your level of approval.


Couldn’t buyers/coercers still watch you cast your vote?

Estonia uses internet voting, and they get around that by letting voters change their vote—but their system isn’t end-to-end verifiable. Votes aren’t make public. If votes are public, even just the encrypted versions, a buyer/coercer could still see if it changes.

The only end-to-end systems I’ve seen still require a secret ballot, i.e. being alone is mandatory, not optional.

It also mentions that you will “be able to verify that your own vote was recorded as you specified”. Do you know how it would do that?


My system will allow you to change your vote right up to the end.

The blockchain will record your vote in an encrypted manner so that NOBODY, not even you, can see that data.

You will be able to verify that your vote was recorded, but you wouldn’t be able to see WHO or WHAT you voted for - to protect against coercion.

Only your voter registration info will be viewable after you cast your vote and that will not even show if you’ve voted or not.

So if you are being Coerced, hopefully you can sneak away later and just vote again to change your vote. I guess if someone was holding you hostage and forcing you to vote a certain way… well there’s not much anyone can do for you. I guess we could all rest assured that any asshole that might do something like that could only do it to a VERY small group of people at one time, and then there would be legal consequences to pay.

Thanks for your input and for taking the time to read through it.


I understand that it would be encrypted, but would you be able to see the encrypted data? You wouldn’t be able to make sense of it, but would the information be there at all? I mean, it’s on the blockchain, right?

This is supposed to be an end-to-end verifiable system, right? Where anyone can:

  1. Verify that their vote was cast, and as they intended
  2. Verify that it was counted correctly

So how are the votes counted? I do know of schemes where they never have to be publicly decrypted, but at least the encrypted versions still have to be public.


What if you encrypt the names of the voters with a password that only that voter knows? That way anyone can verify that 576F7445527A voted for Hinald Clump, but only John Doe knows that he is 576F7445527A, and perhaps John has a password that Ann Smith voted for Dollary Trinton and has no way of knowing that John who voted against her amid the billions of other Clump voters.

Also how do you know that a given CD that claims to be OpenVote is not corrupted or modified in a malicious way? See puzzle 41:
Unless you specifically burn the CD, you can never truly be sure that the CD is genuine.


My understanding is that hyperledger blockchain can be saved with certain parts encrypted and others not. However, I’m no blockchain expert and this project will eventually need experts to make that part happen. I’m just trying to assemble the ideas. IF the project gets off the ground, a blockchain expert will be needed to tell us what is possible with the current technology and what is not. I just trust that the universe will keep providing a path forward. The details will evolve as we need them.

I’ve thought about that too. I think it would be possible to make the software phone home every time you boot it up, just like Adobe and Windows will make sure you’ve got an authentic copy every time you boot. But instead of checking to see if you’re registered, which nobody will need to be, it could check to verify a hashtag.
Seems possible don’t you think? Got any other ideas for how this might happen?


I see your point. Complicated for sure. Not sure how to get around it except that the code in that example was not specified to perform a specific task other than reproducing itself. In our case, the code can be tested in a sandbox environment to see if it actually performs the various voting tasks as it’s intended. Not sure if that would create perfection, but you could certainly test for performance before releasing it.


I’m sure it can. But I don’t think it matters. If a buyer watches you vote once, and sees/records the encrypted version of the ballot, they know that encryption is for their candidate, and can check to make sure it is never changed (or, since this is a blockchain, superseded by a later entry). If it is changed/superseded, the new encryption means they don’t know what it changed to, but they still just don’t pay the seller (or they punish them). So sellers/victims won’t change it.

This could be defeated if the buyer can’t tell if a vote is changed. However, in order for people to be able to authenticate the election, I think everyone needs to be able to tell which votes on the chain are no longer valid/have been superseded. So the buyer will also be able to tell when a vote is changed. They may need some additional information from the voter (like ID info), but they can just require it as another condition for payment.

I wouldn’t call myself an expert, but I know the basics. However, I don’t think this is a blockchain issue.


I’m not sure what you mean by a “buyer.” I think you’re talking about a coercive situation where someone is watching a voter.
This would be happening at a personal computer. There would be no evidence of WHO or WHAT the votes were cast for. Just a receipt that the votes were logged for (voter name) and that’s it. I see nothing about this part of the concept that could be used, and if it was such an extreme situation, the voter could simply go somewhere else and vote again - which you can do right up to the last minute.
I’m sure it would be possible to force a voter or two, but nothing like the mass deception, and probably some level of vote theft that we are subject to right now with the voting machines we use.

If we can manage the part about each person authenticating the election, which I believe we will be able to do, it will take a blockchain expert to set that up.


There would still need to be traditional polling places, so that it doesn’t amount to a poll tax for those that don’t have a computer. Those polling places could then just be online voting centers. And include libraries.

There are still issues though of hacking/malware, and preventing double-votes.


It’s important to note that encryption/decryption is not neccesarily symmetric, meaning the encryption key and decryption key can be different. And blockchain and computer security in general relies strongly on asymmetric encryption.

There are two ways to use this:

  • public key used to encrypt
  • private key used to decrypt
  • private key used to encrypt
  • public key used to decrypt

the two ways have totally different use cases. for example, the first can be used for sending data privately over an open channel. the second can be used for confirming a person’s identity.

i would think in a system like this, the votes would be public, but the voter’s identity would be private.
so each voter would have a private key. and in a polling place (for that part of it), each terminal would have a private key, that would be destroyed after the election.

anyways, i wanted to clarify that functionality: cryptography here is asymmemtric, and there’s actually two very different directions for that asymmetry, with very different use cases.


regarding blockchains, i would think a high-bandwidth turing complete chain would be the way to go, such as EOS or the upcoming RChain. then you could have the tallying algorithms on-chain, for transparency.

from my understanding, hyperledger isn’t a complete blockchain, it’s a specification. it doesn’t have an implementation or emobdiment.


Sort of. I think vote buying/selling being possible implies and voter coercion is possible and visa-versa. One difference is that the voter wants to sell their vote. They aren’t being threatened. They may approach the buyer themselves.

The slides say “every voter can personally access the blockchain to verify the integrity of their own vote”, and “the open vote software will contain options to verify that your own vote was actually recorded as you specified”. Do you know how that will work?

Not if the buyer/coercer can tell if the vote has been changed.
It’s easy enough to make that impossible, but only if you give up on end-to-end verifiability.

Basically, the trouble comes when you want to do all of these:

  1. Only allow authorized voters to vote, and only once
  2. Allow voters to verify that their vote is cast and recorded correctly
  3. Allow voters to authenticate the election
  4. Disallow vote buying/coercion
  5. Vote online

I’ve seen many proposed systems, but the best they mange is 4 out of 5. Estonia fails #3. Another blockchain-based internet voting protocol fails #4. The end-to-end verifiable systems I’ve seen (here’s one example) fail #5.

People have been trying to create end-to-end verifiable voting systems. It’s just hard. Or maybe impossible, though I hope not. I want internet voting, so if you’ve thought of something new, I want to hear it. That’s why I’m asking about common weaknesses of other systems.

Depends on how your voter registration system works. The buyer watching the voter if just one possible vector. Can voters sell their voting credentials? Estonia prevents that by requiring voters to use their irreplaceable, uncopyable, national ID smart card.

If voters can send their information, a buyer could set up a website to pay people in exchange for that information. This could be relatively large-scale.


Wow. Thank you BOTH so much for all the time you’ve spent on that.

The two of you obviously know faaaar more about this than I do.

Would you consider becoming involved with this project?
I mean you already did just now by writing all that and taking your time to do so, but I mean on a more substantial basis. As in, actively concentrating on the formation of this idea and helping to move it.

You obviously have far more experience and knowledge in this realm than I do and for me to even attempt to answer your questions would be silly.

Here’s the deal. I need people like you that have specific knowledge about areas of this plan.
Those people must be willing to focus some time on the project just as you’ve done here.
I will gladly take your input and modify the plan to the best of our ability to find a way to make it workable.

After you contribute a significant amount of energy, I would he happy to have your name on the project.

On my own, as you can see, I’ve got some ideas that I think are generally solid, but I have no specific skills or knowledge about how to make this work.

Are you interested?

We could talk on the phone when you have time. 541-729-9256 (text first)



After reviewing the slides I like this idea in general. I have a few specific comments / questions about it.

  • This doesn’t appear to provide any sort of paper trail or ability to count votes by hand. I think that hand counting a statistical sample of votes would be necessary for auditing the accuracy of the voting software.
  • On slide 34 you list “No Gerrymandering” as one of the benefits. How does Internet voting address gerrymandering at all? My understanding is that gerrymandering is a product of having single-seat districts, which is completely independent of the voting method or software.
  • On slide 31 you state that votes can be changed arbitrarily up until the election is closed. How is that accomplished when the individual votes are encrypted (slide 23)?
  • Rather than recording the identity of each voter, how about just recording an ID number for each ballot? I think a good system for maintaining the anonymity of votes is to allocate a unique ballot ID to each registered voter either in advance of the election or at the time of voting over a secure channel. The system would not retain any correlation between voter and ballot ID, but the voter could use the ballot ID to verify whether his or her vote had been counted.


Later on the slideshow mentions STAR voting which is gerrymander-resistant. I also thought I remembered seeing something about automated redistricting but now I do not know.