Open to help post-election audit the HACK SIV vote?

  • Quickest method takes less than 3 min
  • Everyone else would be able to see and gain confidence from the fact that you verified your vote. We can actually hit 100% for this small vote
  • No one should learn how you voted

…on the same device you voted from.

If your “Submitted Vote” screen comes up, good! You have everything you need to verify. Please say “I found my Submitted Vote data”. ✅

  • If your “Submitted Vote” screen is missing, write back “Stuck @ 1

Step 2: Now look on that page near the left side top, for the green 🟢 box called “VERIFICATION #”.

  • If you can’t find your green Verification #, write back “Stuck @ 2”.

Step 3: In a separate tab, open this unlocked-votes.json file

Mirroring this data to GitHub protects against the SIV server showing different versions to different people. It uses content-addressable hashing & gets timestamped by GitHub. Others can fork with a click to create more mirrors.

  • If the json file is missing or inaccessible, write back “Stuck @ 3
  1. Windows: Ctrl+F
  2. Mac: Cmd+F
  3. iOS: Share button —> scroll down a bit to “Find on Page”
  • If you can’t activate your in-page search, say “Stuck @ 4”.

Step 5. Copy and paste your 🟢green Verification # from step 2, into the Find-in-Page prompt

Does it get a hit??

It should find your individual vote, with your verification # labeled tracking (original name for this feature).

  • If the In-page Search says 0 results, say “Stuck @ Step 5”.

At this point, if you’ve made it through all the previous steps, it would be very useful if you could truthfully say:

  • “I found my verification number in the unlocked results.” ✅

Step 6. Now, you can verify your individual ballot selections were cast correctly.

Usually this is a lot easier, because the column name would be something simple like “mayor” or “senator”, and you’d see the name of your chosen candidate in your vote selection.

(We are aware this is currently annoying to check each of the vote selections, and designed an improvement to the encrypted vote preparation, which could massively speed up this post-election Verification # -> Vote Selection check.)

But because of this special “budget” type — specific to this Awards Vote — and the 42 different submissions, we used a (regrettable) generic formula award_{submitter}_{submission_#} when designing the ballot.

You can compare the json listing with your Submitted Vote tab, to confirm your voter interface shows matching submission plaintexts.

Here is a table that relinks the column_ids to their original submission names.

(Friendly reminder that for fairness, this election’s vote interface randomizes the order of all options on every refresh).

Once you are sufficiently satisfied, it would be great if you could truthfully say:

  • “I confirmed my vote selections look correct.” ✅

If you see any vote selections of yours that look wrong, please say something! 🚨

⚠️ - Be sure not to reveal any details of how you voted, just whether or not the submission looks correct to you.

This can create Common Knowledge.

The state when everyone knows that everyone knows that everyone knows. This is fundamental to free society, the key force that prevents authoritarian dictatorships. (Regimes depend on victimized citizens not realizing they have overwhelming numerical superiority.)

Please post these verification results somewhere visible for others to see!

If something is wrong, we can dig deeper into it and trace out exactly where in the process it was corrupted.

If caught, it can be fixed, with invalidated votes and reissued credentials.

This Personal Verification # check protects you against your vote getting lost or tampered with during SIV Protocol:

  • Step 3 - Vote Submission & Storage
  • Step 4 - Anonymizing Shuffle
  • or Step 5 - Privacy-Protecting Decryption

In other words, this check protects you against a cheating election server, or cheating Privacy Protectors. (The backend server also already forced all Privacy Protectors to provide unforgeable Zero-Knowledge Proofs that they didn’t tamper with any votes during their Shuffle or Partial Decryption steps, so really the check here falls back to a corrupted backend.)


You have successfully completed the core of the Personal Voter Verification. 🎉

More advanced checks are also possible, listed below.


Verifying Against On-Device Malware

Only once you have completed the above — and posted it please — you can gain even greater confidence by testing against on-device malware. A corrupted voting device always has the possibility to tamper with the preparation of your vote (SIV Protocol Step 2) in extremely subtle ways, before it ever reaches the SIV Election Server.

Fortunately, SIV enables you to check to see whether this happened, and to be able to fix it, if so. All you need to do is open the unlocked-votes.json file again, but this time from a different phone or computer.

This allows you to use the second device to check against malware on the first. Each device has a separate malware profile.

The additional redundancy makes verification much more resilient. In fact, these checks can continue onto any arbitrary high number of additional devices.

Every single one of them would need to be compromised by the same, coordinating malware in order to keep the attack disguised.

Paper-only, Software Independence

We can even achieve Software Independence, by re-doing this check not against an additional electronic device, but against paper printouts, especially if they’re made available in a public location or brought to us in person by an official post-election auditor.

Anti-Malware Codes

If we had postal invitations, we could even issue simple, 2-digit Anti-Malware Codes, that would be entered in the second device, but the first device would never see. This allows voters to publicly prove that they checked from a distinct device.

Without such codes, sufficiently advanced malware on the first device could fake claims that checks were made on additional devices. The voter would know their truth, but not be able to prove it over only digital channels.

Official Post-Election Audits

This privately-silo’d verification of a voter’s own vote can be improved, by a verbal phone call from Official Auditors, walking voters through the exact same steps above. Although in theory, advanced enough malware could even fake such a live phone conversation.

In-person audits could provide an extremely high level of confidence. These could be used primarily with voters who first do phone checks, to calibrate and measure the effectiveness of these phone checks. The in-person tests allow to measure if any phone checks are beaten.

In other words, the most expensive form of audit, in-person visit, can be used to calibrate phone call audits. And phone call audits can calibrate voter-autonomous, self-service Verification.

Initial research suggests this makes it possible that just a very small number of in-person checks could be effectively leveraged with a moderate number of phone-call checks, and a wide number of Voter-autonomous checks, to achieve overwhelming confidence in voter-verified results.

We have begun exploring the math, using random sampling. Because these checks are ballot-level, not batch-level, our initial results suggest we can achieve something on the order of 1000x improved sampling efficiency compared to current batch-level RLAs: https://docs.siv.org/verifiability/rla

Auditing the Voter Roll Itself

If we complete all the above checks, this provides proof that SIV Protocol Steps 2, 3, 4, and 5 were run correctly.

But this still leaves out Step 1 — Voter Authorization Token Issuance.

For example, the election administrator (us, in this case), could have made up fake voters, issued multiple credentials to certain voters, failed to deliver credentials to voters.

These challenges are also all present with paper elections, e.g. ballot stuffing, certain precincts with much longer voting lines than others, or dependence on the integrity of the postal mail system.

In some ways, the paper system looks superior, because meatspace attacks are much more expensive to scale up than digital.

But paper voting has a number of disadvantages compared to SIV too:

  1. Paper elections involve many, 1-time-only events — checking in voters, votes getting cast, driving ballots from precincts to central tabulating buildings, tabulation itself — which have to be observed in real-time to catch cheating. By contrast, SIV allows verification to take place at any point after the fact.
  2. The paper system has massive geographical surface area— such as hundreds of polling places throughout a single city. And with early voting, possibly weeks of time frame to monitor. No one can possibly be in every location simultaneously.
  3. If any sort of authentication problems are surfaced in a paper system, because the paper vote anonymization process is non-repeatable, problems cannot be fixed. The only option is to discard the results, and possibly re-do the entire election.

SIV does allow auditing the voter roll, which can be done efficiently with random-sampling.

We're working to make these post-election verification steps faster & easier. But we believe, fundamentally, that the Voter-Verifiability SIV is built upon can achieve a far higher level of Common Agreement in the legitimacy of the voting process itself, compared to our current election processes.

Report abuse