…on the same device you voted from.
If your “Submitted Vote” screen comes up, good! You have everything you need to verify. Please say “I found my Submitted Vote data”. ✅
unlocked-votes.json
fileMirroring this data to GitHub protects against the SIV server showing different versions to different people. It uses content-addressable hashing & gets timestamped by GitHub. Others can fork with a click to create more mirrors.
Does it get a hit??
It should find your individual vote, with your verification # labeled tracking
(original name for this feature).
At this point, if you’ve made it through all the previous steps, it would be very useful if you could truthfully say:
Usually this is a lot easier, because the column name would be something simple like “mayor” or “senator”, and you’d see the name of your chosen candidate in your vote selection.
(We are aware this is currently annoying to check each of the vote selections, and designed an improvement to the encrypted vote preparation, which could massively speed up this post-election Verification # -> Vote Selection check.)
But because of this special “budget” type — specific to this Awards Vote — and the 42 different submissions, we used a (regrettable) generic formula award_{submitter}_{submission_#}
when designing the ballot.
You can compare the json listing with your Submitted Vote tab, to confirm your voter interface shows matching submission plaintexts.
Here is a table that relinks the column_ids to their original submission names.
(Friendly reminder that for fairness, this election’s vote interface randomizes the order of all options on every refresh).
If you see any vote selections of yours that look wrong, please say something! 🚨
⚠️ - Be sure not to reveal any details of how you voted, just whether or not the submission looks correct to you.
The state when everyone knows that everyone knows that everyone knows. This is fundamental to free society, the key force that prevents authoritarian dictatorships. (Regimes depend on victimized citizens not realizing they have overwhelming numerical superiority.)
If something is wrong, we can dig deeper into it and trace out exactly where in the process it was corrupted.
If caught, it can be fixed, with invalidated votes and reissued credentials.
This Personal Verification # check protects you against your vote getting lost or tampered with during SIV Protocol:
In other words, this check protects you against a cheating election server, or cheating Privacy Protectors. (The backend server also already forced all Privacy Protectors to provide unforgeable Zero-Knowledge Proofs that they didn’t tamper with any votes during their Shuffle or Partial Decryption steps, so really the check here falls back to a corrupted backend.)
More advanced checks are also possible, listed below.
Only once you have completed the above — and posted it please — you can gain even greater confidence by testing against on-device malware. A corrupted voting device always has the possibility to tamper with the preparation of your vote (SIV Protocol Step 2) in extremely subtle ways, before it ever reaches the SIV Election Server.
Fortunately, SIV enables you to check to see whether this happened, and to be able to fix it, if so. All you need to do is open the unlocked-votes.json file again, but this time from a different phone or computer.
This allows you to use the second device to check against malware on the first. Each device has a separate malware profile.
The additional redundancy makes verification much more resilient. In fact, these checks can continue onto any arbitrary high number of additional devices.
Every single one of them would need to be compromised by the same, coordinating malware in order to keep the attack disguised.
We can even achieve Software Independence, by re-doing this check not against an additional electronic device, but against paper printouts, especially if they’re made available in a public location or brought to us in person by an official post-election auditor.
If we had postal invitations, we could even issue simple, 2-digit Anti-Malware Codes, that would be entered in the second device, but the first device would never see. This allows voters to publicly prove that they checked from a distinct device.
Without such codes, sufficiently advanced malware on the first device could fake claims that checks were made on additional devices. The voter would know their truth, but not be able to prove it over only digital channels.
This privately-silo’d verification of a voter’s own vote can be improved, by a verbal phone call from Official Auditors, walking voters through the exact same steps above. Although in theory, advanced enough malware could even fake such a live phone conversation.
In-person audits could provide an extremely high level of confidence. These could be used primarily with voters who first do phone checks, to calibrate and measure the effectiveness of these phone checks. The in-person tests allow to measure if any phone checks are beaten.
In other words, the most expensive form of audit, in-person visit, can be used to calibrate phone call audits. And phone call audits can calibrate voter-autonomous, self-service Verification.
Initial research suggests this makes it possible that just a very small number of in-person checks could be effectively leveraged with a moderate number of phone-call checks, and a wide number of Voter-autonomous checks, to achieve overwhelming confidence in voter-verified results.
We have begun exploring the math, using random sampling. Because these checks are ballot-level, not batch-level, our initial results suggest we can achieve something on the order of 1000x improved sampling efficiency compared to current batch-level RLAs: https://docs.siv.org/verifiability/rla
If we complete all the above checks, this provides proof that SIV Protocol Steps 2, 3, 4, and 5 were run correctly.
But this still leaves out Step 1 — Voter Authorization Token Issuance.
For example, the election administrator (us, in this case), could have made up fake voters, issued multiple credentials to certain voters, failed to deliver credentials to voters.
These challenges are also all present with paper elections, e.g. ballot stuffing, certain precincts with much longer voting lines than others, or dependence on the integrity of the postal mail system.
In some ways, the paper system looks superior, because meatspace attacks are much more expensive to scale up than digital.
But paper voting has a number of disadvantages compared to SIV too:
SIV does allow auditing the voter roll, which can be done efficiently with random-sampling.
We're working to make these post-election verification steps faster & easier. But we believe, fundamentally, that the Voter-Verifiability SIV is built upon can achieve a far higher level of Common Agreement in the legitimacy of the voting process itself, compared to our current election processes.