The Secret Ballot
Some types of elections do not require a “secret ballot”, but most public sector elections do
Public Sector elections have to do with the governing our lives - their results have the effect of law
A secret ballot requires the Separation of a person’s identity from their cast vote
As the content of the ballot becomes more “serious”, the stakes get higher and anonymity becomes essential
Without it, there is no election
Without it, people have and will continue to die
Mail-in Voting clearly violates all of this – from the onset!
Think about it ... when your ballot arrives in the mail, they know who you are (your identity). When you complete your ballot and place it in a return envelope, you have unwittingly attached your identity to your vote. In short, you have violated the principle of the secret ballot - and a public sector election without a secret ballot is not really an election at all!
What is a secret ballot?
It’s a completed ballot where the identity of the voter is kept a secret. The general principle is one person, one vote - and nobody knows who cast that vote. The idea is that they have the right to vote, and that they are eligible to vote (that’s why they are credentialed), but we are all forced to accept the outcome of the election because we have no ability to go after people to persuade them to change their vote in order to change the outcome of the election. We know who voted, but it's impossible to deduce how they voted.
Today, most democracies use secret ballots; running the election in a secret mode (see [Voter Privacy] on this web site). Is this really that big of a deal? Well, yes. It is. If you look over history, things weren’t always as civil as they are today. Before the widespread adoption of secret ballots, people were subject to violence not only from their government, but from their very neighbors. Today, this form of domestic terrorism still occurs in many countries across the world - even in "democracies" (see the Middel East).
However, it's important to keep in mind that this secrecy is at direct odds with the need for transparency in the election results themselves, as well as the processes used to obtain and count them. It’s critical not to conflate these two concepts. Just because we need to hide identity doesn't mean anything else needs to be hidden - in fact it doesn't and it shouldn't!
While the voter's ballot identity is to remain a secret, EVERYTHING else is to be TRANSPARENT
Violating the secret ballot
When you think about it, that’s exactly what’s happening with mail-in ballots and drop boxes. You’re supposed to keep the identity a secret and the process transparent. With these two foms of absentee voting, that has been reversed! Instead, your identity is transparent, and the election process has become a secret! They know who you are, and where you live, but you don’t know how to locate your ballot to ensure the vote you made makes it all the way to the tally results. In fact, if you try and look into this, you may get arrested. This upside down, topsy-turvy world of elections needs to be fixed. People need to right the ship and return to the canonical practices of the past. But can this be done in a more efficient manner? Yes, it can - that’s part of what EIP is for.
Transparency vs Privacy
So, it’s a balancing act. In a public sector election and many others, the identity of the voter must be hidden while at the same time everything else is to be completely transparent. Not only are the results transparent, but the processes used to obtain the results must be free from any form of secrecy. That’s what lends to the legitimacy of any election.
So the general principle is that associating the identity of the voter with the ballot is radioactive ☢️. But at the same time, how is the voter then able to verify their ballot choices? There’s no way for them to do that without issuing some kind of a vote tracking number (i.e., Balllot Audit Mark or BAM]) where the voter can look up their vote without revealing their identity.
So why don’t they just attach a BAM (token) to the ballot in the first place? That would solve the transparency problem, but it puts the identity problem back in play, and the exposure of the voter's identity at risk ...
Unless…
You physically separate assignment of the audit-marked ballot from the identity of the voter. This cannot be done electronically, nor with any kind of remote voting, including voting by mail. It’s a physical process that can only take place in person.
That’s what EIP requires for public sector (secret mode) elections.
That’s what we need to do - all across the world.
Nobody's Perfect
So let's say we can successfully separate identity from vote. Are we home free? Turns out, not quite. Why? Even with this separation, a person's vote may still be deduced by piecing together other crumbs of information such as timestamps and voter pool size. For example, let's say in a small rural community, everyone voted the same way. One could then deduce the way all of those people voted becasue they know where they voted and the voter pool size.
None of this is a fault in the protocol, it's just the nature of any election. In addition to identify obfuscation, other measures must be put into place. All of this is part of maintaining the secret ballot which is a primary factor in providing free and fair public sector elections.