XX — Voting modalities

Chapitre XX

VOTING MODALITIES

The proposed system relies on frequent voting: elections, recalls, referendums. This section describes the technical infrastructure that makes all of this possible, while guaranteeing anonymity, security, and practicality.

20.1 — The Anonymous Voter Card

Voting anonymity is fundamental. The system relies on an architecture where three elements are separated and never linked:

ElementContentHeld by
Identity cardName, photo, biometric A (fingerprints)Citizen + civil registry
Voter cardRandom number, biometric B (iris), encrypted census weightCitizen only
Electoral registerCard numbers → encrypted votesElectoral authority

Tableau 20.1 — Identity/vote separation architecture

No database links identity ↔ card number. Anonymity is structural, not merely legal.

Separation of electoral data Separation of electoral data Figure 20.1 — Separation of electoral data

Assignment process:

  1. The citizen presents themselves at city hall with their identity card
  2. Verification: they haven’t already received a card (register “has received a card”, without the number)
  3. The clerk opens a bin containing minimum 100 pre-generated cards (random numbers, not activated)
  4. The citizen picks one at random themselves—the clerk never touches the card, never sees the number
  5. The citizen goes into a booth to activate the card, register biometric B (iris), and receive the paper document (PIN, PUK, ownership code)
  6. The clerk validates “card delivered” without ever knowing which number

Annual update of census weight:

  1. The citizen goes to a secure terminal (city hall, dedicated booth)
  2. Identity card insertion → the terminal queries the tax administration → retrieves the calculated weight
  3. Voter card insertion → the terminal writes the encrypted weight on the card
  4. The terminal immediately erases the link—no log, air-gapped machine (no network connection)

Distinct biometrics: Fingerprints (identity card) and iris (voter card) are different biometrics. Impossible to link the two cards by biometrics in databases.

Loss or theft: The citizen presents themselves with their identity card + ownership code. The old number is blacklisted. New card with new random number. No identity ↔ number link is ever stored.

20.2 — The Physical Booth

For votes with high coercion risk, voting takes place in a permanent booth at city hall, during extended hours (like a photo booth). The citizen goes there alone, inserts their card, enters their PIN, and uses their biometrics.

Voting in the booth:

  1. Authentication: identity card (photo + biometric A), then voter card (biometric B + PIN)
  2. Vote choice (or white/gray) + option “I want to be able to recall”
  3. The encrypted vote + encrypted weight are transmitted to the server with the card number—no identity transits
  4. The citizen leaves with a verification code (proves their vote was counted, not for whom)

Open source code: The booth software is published. Before each election, randomly selected machines are audited—hash comparison with published code. Tech-savvy citizens can verify the checksum in the booth.

This physical displacement has several virtues:

Reflection time: no hot recall under the emotion of a controversy. The trip is a decompression chamber.

Real will: if you make the trip, you really mean it. It’s a natural filter against fickleness.

Protection against coercion: even if an abusive spouse knows the codes, they cannot enter the booth in place of their victim (biometrics) and cannot see what they do there. You can tell them “it’s done” and do the opposite. They will never know.

20.3 — Technical Security of the Booth

The booth is designed to ensure the citizen is alone and free:

Presence detection: if the system detects two people in the cabin, or if the door remains open, it refuses to function. No one can watch over your shoulder.

Electronic device detection: if a phone, camera, or any other recording device is detected, the system locks. You cannot be forced to film your vote to prove to someone what you did.

These technical protections make coercion practically impossible. Even under threat, you can enter the booth and do what you want. No one can verify.

20.4 — Online Voting

The proposed system multiplies voting occasions: elections, recalls, constitutional referendums, treaty referendums, major public contract referendums… If everything had to be done in physical booths, citizens would spend their lives at city hall.

The solution: distinguish by coercion risk.

Mandatory physical booth:

  • Elections (electing people)
  • Recalls (removing people)
  • Constitutional referendums (fundamental stakes)

These votes concern people or existential stakes. Coercion risk is maximal: an employer may want to know who you vote for, a violent spouse may demand proof. The physical booth with presence detection and electronic device blocking remains indispensable.

Online voting possible:

  • Referendums on public contracts
  • Ordinary referendums (laws, trade treaties, local issues)

These votes concern projects or texts. Coercion risk is lower: nobody is going to threaten their spouse to vote for a particular tram supplier. And even if someone tried to coerce, the personal stake is smaller—the victim can yield without betraying their deep convictions.

Online voting guarantees:

  • Authentication by voter card + PIN + SMS code or dedicated app
  • End-to-end encryption—the server only sees the encrypted vote and encrypted weight
  • Ability to “re-vote” during the voting period—only the last vote counts. This allows a person under duress to vote under surveillance, then re-vote alone later
  • Verification code—the citizen can verify their vote was counted
  • Public audit of source code

The right to vote in booth remains open. Even for an ordinary referendum, any citizen can choose to vote in physical booth rather than online. It’s an option, not an obligation.

Volume becomes manageable. With online voting for ordinary referendums, the system can function without drowning citizens. Physical trips are reserved for stakes where maximum protection is necessary.

20.5 — Case Study (Empirical Example): Estonian Electronic Voting (i-Voting, 2005-present)

Estonia is the only country in the world to have generalized online voting for national elections [132][133]. Since 2005, any citizen can vote from their computer using their electronic identity card. In 2023, 51% of votes in legislative elections were cast online [134].

What Worked

Massive progressive adoption. From 2% of votes in 2005 to 51% in 2023. Trust was built election after election. The system wasn’t brutally imposed—it was progressively adopted by citizens [132].

Solid digital identity infrastructure. i-Voting relies on the ID-kaart (electronic identity card) and Mobile-ID. 98% of Estonians have a digital identity. Voting is just one application among others (banking, taxes, health) [133].

Ability to re-vote. Voters can modify their vote as many times as they wish during the early voting period. Only the last vote counts. This is protection against coercion: you can vote under surveillance, then re-vote alone later [132].

Individual verification. Since 2013, each voter can verify via their smartphone that their vote was correctly recorded [134].

Low marginal cost. Once infrastructure is in place, cost per vote is negligible. No need for additional physical booths, electoral personnel, manual counting.

Accessibility. People with reduced mobility, expatriates, citizens traveling can vote without logistical constraints.

What’s Problematic

Identified vulnerabilities. Researchers have demonstrated potential flaws: malware on the voter’s computer, attacks on collection servers, possible server-side manipulation [133]. No successful attack has been proven, but theoretical risk exists.

Unverifiable trust. The ordinary citizen cannot audit the system. They must trust experts and authorities. The code is published, but few people can actually verify it.

Risk concentration. A successful attack on the central system could affect the entire election, unlike decentralized physical polling stations.

No paper receipt. Unlike physical voting, there’s no material trace. An independent recount is impossible.

Residual coercion risk. Despite re-voting, a sophisticated coercer could monitor until the end of the voting period. Risk is reduced, not eliminated.

What We Keep from the Estonian Model

  • The ability to re-vote as protection against coercion
  • Individual verification that the vote was recorded
  • Digital identity infrastructure as prerequisite
  • Progressive adoption that builds trust
  • Public source code for auditability

What We Improve

  • Distinction by coercion risk: our system reserves online voting for ordinary referendums. Elections (people) and constitutional referendums remain in physical booths—Estonia allows online voting for everything
  • Reinforced physical booth: presence detection, electronic device blocking—protections Estonia cannot offer for home voting
  • Identity/vote separation: our system uses two distinct cards (identity and voter) with different biometrics. Estonia uses the same card for everything

What We Don’t Keep

  • Online voting for elections of people: coercion risk is too high
  • Trust in home voting: even with re-voting, the physical booth remains superior for major stakes
  • Absence of material trace: our system maintains backups and audit mechanisms

🌍 Langue

Chargement des langues...
Libertarian libertarianism
The three principles
⚖️ Who pays decides — but not everything.
Who elects revokes — permanent sovereignty.
💪 Who falls gets back up — neither dependent nor abandoned.

This document describes the means to bring these three principles to life.

⤵️