Mitigating Attacks
Vote Selling

Vote Selling

In this section, we will explore multiple arguments on the current status of vote selling in government elections, and then propose a strong potential solution.

The Status Quo Is Already Coercible

  1. Mail-in ballots can already be easily coerced in person by spouses, bosses, or others, who can simply ask the voter to sign a blank ballot and hand it over.
  2. Smartphone video recording proofs: Both mail-in and in-person voting are vulnerable to smartphone video recording proofs, which can be used to confirm a vote has been cast in a certain way. It is difficult for voting facilities to detect and enforce against this practice. We estimate that reviewing such videos at scale could be reliably outsourced for less than $1 each.
  3. US voters abroad: According to The Federal Voting Assistance Program (opens in a new tab) there are approx. 3 million US voters abroad, including military personnel. Many such voters already submit votes through plaintext email attachments or other digital means (opens in a new tab), yet there is no evidence of widespread vote selling.
  4. Elected representatives are already susceptible to coercion through bribes or indirect "revolving door" appointments, which can have a far more significant impact on constituents. For example, if a single US Congressional representative changes their vote due to financial incentives, they've sold out all their constituents, approx. one million people. Compare that to a single voter selling their vote, who represents no one else, yet still faces large risks.
  5. Indirect vote buying through political promises: Politicians often make promises that have specific monetary value to specific subsets of voters, such as free or subsidized healthcare, education, or specific industry benefits. Such promises can often be phrased as "Vote for me to get X". This practice can be viewed as an indirect form of vote buying, yet is widely accepted and practiced within the political process.
  6. Cryptocurrency tokens and conditional financial instruments: Even without internet voting, there have already been cryptocurrency tokens created that have value if and only if a particular candidate wins, such as the infamous $7.4m TRUMPLOSE tokens revealed in the 2022 FTX bankruptcy. Whether or not citizens are given the option of Secure Internet Voting, conditional financial instruments like these can already be given to persuadable voters, at little cost to would-be bribers if their preferred candidate doesn't win.

Existing Criminal Penalties

  1. Current laws impose strong criminal penalties for both briber and bribee, including imprisonment, steep fines, and potential loss of voting rights. This has already been in the US criminal code for over 70 years (18 U.S.C. §597 (opens in a new tab)), carrying up to 2 years jail time and a $10k fine for a single willful instance, for both buyer & seller.

Voter Selling Is Hypothetical, Not Observed

  1. Estonia's successful internet voting system: The nation of Estonia has successfully offered its 1.3 million citizens internet voting (opens in a new tab) in every election since 2005. There are no known instances of widespread vote selling, and the system continues to be very popular, with approx. half of all voters using it.
  2. Lack of clarity on the market value for individual votes: Because there is little-to-no existing evidence of vote selling, there is a lack of clarity regarding the market value for individual votes. It would be especially challenging to offer bribes exclusively to voters who didn't already intend to vote for a particular candidate. As this further dilutes the amount available for on-the-fence voters, vote selling becomes even less attractive, especially with such high criminal penalties if caught.
  3. Competing bribes neutralizing each other's influence: Even if hypothesized vote selling were to spread, competing bribes would neutralize each other's influence on voters. For instance, if a voter is offered $50 to vote for Candidate A but only $35 for Candidate B (their original favorite), the net financial incentive favoring A over B is $15, not $50. Thus, close races could have far less of a corrupting effect than it would initially seem.
  4. Potential backlash against bribery campaigns: As all of this is hypothetical, we can only speculate about how this would play out. Another possible scenario is that if on-the-fence voters became aware of widespread bribery campaigns, they may consider it a form of cheating and decide to vote against the candidate on principle. Like the above two bullet points, this factor would also reduce the efficacy of vote buying, perhaps even to the point of backfiring.
  5. Reversibility: We believe that Secure Internet Voting's many benefits make it well worth it overall. But if widespread coercion were to arise, internet voting can still be repealed, returning back to the status quo. Even in a worst-case scenario in which electronic voting is entirely compromised by voting selling, a repeal can still be achieved by legislators, or by citizens in a paper-only referendum.

SIV-Specific Mitigating Factors

  1. Voter education and warnings: Within the voting interface, SIV can explicitly educate and warn voters on the dangers of vote selling, and the serious consequences if caught. SIV can also make it easy to report attempts to the proper authorities.
  2. Remediation: SIV's design allows any discovered compromised votes to be invalidated, and if appropriate, remediated.
  3. Alerts for anomalous behavior: Unlike email or fax, SIV makes it possible to automatically trigger alerts if IP address geolocation or device user-agents show anomalous behavior that could indicate widespread vote-selling.
  4. Selective deanonymization of votes: Although all votes are encrypted by default, a quorum of the election's Privacy Protectors can cooperate to selectively deanonymize an individual vote, while still protecting the privacy of all other voters. This means discovered vote sellers cannot hide behind SIV's strong cryptography. Sufficient justification needs to be provided to make use of this power, and is protected from abuse by including a broad range of Privacy Protectors.

Tradeoff With Verification

There is a fundamental trade-off between receipt-freeness and verifiability:

  1. MACI and its limitations: For digital voting settings, MACI ("Minimal Anti-Collusion Infrastructure") and similar designs are a common proposed solution to Vote Selling. These are based on the principle of allowing voters to submit multiple times, to trick would-be coercers. Unfortunately, these designs are still not immune to vote selling (e.g. handing over HSM devices, or live streaming from the start of the election), and they compromise other security properties. In particular, MACI necessitates giving election administrators unrestricted rights to see who cast each vote, completely sacrifices any protection against on-device malware, and makes verification far more technically complex.

  2. Secret paper overrides: Because SIV works alongside paper methods, voters under coercion pressure could cast a 2nd vote using paper-methods, which can treated as overriding, without alerting the coercer. Although it must be noted this "secret paper overrides" configuration does sacrifice some verifiability (partial tally totals, not malware nor privacy).

  3. Stakeholder preferences: Although brilliant computer scientists have spent decades writing about the problem and possible solutions to vote selling, there is a fundamental disconnect with other election stakeholders. We have consulted with countless voters, election officials, and candidates (both victorious and not). The vast majority — when presented this fundamental tradeoff between Coercion Resistance & Verifiability — express a strong preference for Verifiability, as well as the other benefits Secure Internet Voting offers. While we are thankful that insightful computer scientists have correctly identified the increased potential of vote selling from digital elections, we must point out that the specific judgement of whether the increased risk is acceptable is a question for all election stakeholders, and not fundamentally a question of Computer Science.

A Stronger Solution

Building upon the current criminal penalties against vote selling, SIV has developed an even stronger potential legal solution that addresses vote selling while preserving voter verifiability, called "The Vote Seller's Dilemma".

This method rewards defectors (seller or buyer) who successfully report the other side. As a result, trust between the two parties is destroyed, given the always-better outcome for one party to betray the other for the offered reward.

With this proposal adopted, all voting methods benefit, but internet voting in particular can become even more resistant to vote selling than Vote-by-Mail, because handing over a signed mail ballot creates less evidence for whistleblowers than digital coercion creates.

For further explanation, see "The Vote Seller's Dilemma".

Privacy ViolationsComparing Voting Methods