Case Study 1: The Voting Machine Dilemma

The Situation

Millbrook is a mid-sized city of approximately 180,000 residents in the American Midwest. In the most recent municipal election, turnout was 23% — a record low that embarrassed the city council and generated unflattering coverage in the regional press. Exit surveys and community forums identified several factors: inconvenient polling locations, long wait times due to aging voting machines, distrust of the vote-counting process following national controversies, and a general sense among younger residents that the system was outdated and opaque.

At a city council work session in January, Council Member David Park proposes exploring blockchain-based voting. Park, a former software engineer, has read about pilot programs in other cities and believes the technology could address multiple problems simultaneously. He presents a slide deck to the council with the following claims:

  1. Increased access: Voters could cast ballots from their phones or computers, eliminating the need to travel to polling places during specific hours.
  2. Transparency: Every vote would be recorded on a public ledger, allowing anyone to verify the total count independently.
  3. Tamper resistance: Once recorded, votes could not be altered, deleted, or manufactured, eliminating concerns about vote manipulation.
  4. Cost reduction: Over time, the system would be cheaper than maintaining aging voting machines, paying poll workers, and renting polling locations.
  5. Engagement: A modern, technology-forward voting system would appeal to younger voters and increase turnout.

The council, intrigued but cautious, commissions a study. They hire a consulting firm that returns a 40-page report three months later. The report's findings are more nuanced than Park's slide deck.

The Technical Assessment

The consulting firm evaluates three possible architectures:

Option A: Public blockchain (Ethereum-based). Votes are recorded as transactions on the Ethereum mainnet. This provides maximum transparency and tamper resistance, as the Ethereum blockchain is maintained by thousands of independent validators worldwide. However, votes are publicly visible (though pseudonymous), gas fees apply to each vote, and the city has no control over the underlying infrastructure.

Option B: Permissioned blockchain (Hyperledger-based). The city, the county election board, and three independent auditing firms operate a private blockchain network. Only authorized parties can read or write to the chain. This provides auditability among the consortium members while keeping individual votes confidential. However, it is less decentralized — the five parties collectively control the system.

Option C: Hybrid system. Votes are collected through a conventional web application, and a cryptographic hash of the complete vote tally is periodically anchored to a public blockchain. This provides some tamper evidence (any alteration of the tally would be detectable) while keeping the voting process itself familiar and accessible. However, the voting application itself is centralized.

The Arguments For

Proponents within the community make the following case:

The transparency argument. In the current system, voters drop paper ballots into a box and trust that they are counted correctly. The counting process happens behind closed doors, with observers from each party present but the general public excluded. A blockchain-based system could allow every voter to verify that their specific vote was recorded correctly and that the total tally matches the sum of individual votes. This is not merely a technical improvement; it is a democratic one.

The auditability argument. Recounts of paper ballots are expensive, slow, and contentious. In the current system, a recount requires physically re-examining thousands of paper ballots, a process that introduces its own errors. A blockchain record would make recounts trivial: the data is there, it is structured, and it can be verified by anyone with a computer.

The access argument. Millbrook's lowest-turnout precincts are in neighborhoods with limited public transportation. The residents most affected by inconvenient polling locations — hourly workers who cannot take time off, single parents without childcare, elderly residents with mobility issues — are disproportionately low-income and minority. Remote voting could address a genuine equity issue.

The modernization argument. Citizens interact with their bank, their employer, and their government through digital systems for virtually everything except voting. The argument that voting must remain paper-based in perpetuity strikes many residents as inconsistent with how every other civic process has evolved.

The Arguments Against

Opponents raise equally substantive concerns:

The secret ballot problem. Democratic elections require secret ballots — a guarantee that no one can determine how any specific individual voted. This prevents vote buying and voter coercion. On a public blockchain, even with pseudonymous addresses, the link between a voter's identity and their address must be established at some point (to prevent one person from voting twice). Maintaining true ballot secrecy while also allowing individual vote verification is a genuinely hard cryptographic problem. Solutions exist (zero-knowledge proofs, homomorphic encryption) but are complex and relatively unproven at scale.

The accessibility problem. Not all residents have smartphones or reliable internet access. Millbrook's digital divide closely tracks its economic divide: the same low-income neighborhoods with the worst polling-place access also have the lowest rates of broadband and smartphone adoption. A system that solves the physical-access problem while creating a digital-access problem may simply shift the burden rather than reducing it.

The security argument. Paper ballots have a crucial security property: they are physical objects that are hard to alter at scale. Hacking a paper election requires physically accessing ballot boxes in many locations. A digital system, by contrast, has a single attack surface: the software. If the voting application has a vulnerability — even if the blockchain layer is secure — the election can be compromised. Election security experts, including many computer scientists, have expressed deep skepticism about internet voting of any kind, blockchain-based or not.

The complexity argument. Millbrook's election officials, many of whom have decades of experience with paper systems, would need to be retrained. Voters would need to understand a new process. The system's security would depend on cryptographic assumptions that most participants (officials and voters alike) cannot evaluate. When something goes wrong — and in any complex system, something eventually will — the community's ability to understand, diagnose, and resolve the problem is critical.

The cost argument. The consulting firm estimates the initial development cost at $2.5 to $4 million, with annual maintenance of $300,000 to $500,000. Millbrook's current election budget is $1.2 million per cycle. The blockchain system would cost more, not less, at least for the first decade. The "cost reduction" claim applies only if the system replaces all paper voting, which no one recommends for at least the first several election cycles (during which both systems must run in parallel).

The Decision Framework Applied

Applying this chapter's decision framework to Millbrook's situation:

Multiple parties need to share data? Yes. Voters, candidates, election officials, auditors, and the general public all have a legitimate interest in the election data. This condition is met.

Those parties cannot or will not trust a single intermediary? This is where the analysis becomes nuanced. In principle, voters trust the election board to count votes honestly. In practice, trust in electoral institutions has declined significantly, and partisans on both sides regularly question election outcomes. Whether this erosion of trust is better addressed through institutional reform or technological guarantees is a values question, not a technical one.

The data needs to be tamper-evident? Absolutely. Election integrity requires that results cannot be altered after the fact. This condition is strongly met.

The value of decentralization exceeds its cost? This is the hardest question. The value — increased public confidence in election outcomes — is genuinely significant. The costs — financial expense, complexity, new security risks, potential accessibility barriers — are also significant. The answer depends on implementation quality, the specific system chosen, and how effectively the transition is managed.

The Expert Testimony

The council invites two expert witnesses to present at a public hearing.

Dr. Sarah Kim, a computer science professor specializing in election security, testifies against the proposal. "Paper ballots have a property that no digital system can match," she says. "They are physical artifacts that are independently verifiable. Any voter can understand how a paper ballot works. The security of a blockchain voting system depends on cryptographic assumptions that perhaps a few hundred people in the world can fully evaluate. When we ask voters to trust a system they cannot understand, we are not increasing democratic legitimacy — we are replacing one form of trust with another."

Marcus Rivera, a civic technology entrepreneur who has deployed blockchain voting in two pilot programs, testifies in favor. "Every system requires trust," he argues. "Voters already trust machines they don't understand — voting machines, optical scanners, centralized tabulators. The question is not whether trust is required, but where it is placed. A blockchain system distributes trust across a public, auditable network rather than concentrating it in a single vendor's proprietary software."

Both experts agree on one point: any blockchain voting system should be deployed incrementally, starting with low-stakes decisions (participatory budgeting, community surveys) before being considered for binding elections.

What Happened

The case study intentionally does not provide a resolution. Millbrook is a composite — drawn from the experiences of real cities that have considered or piloted blockchain voting systems, including Denver (which piloted mobile blockchain voting for overseas military personnel in 2019), Utah County (which used a blockchain platform for municipal elections), and several Swiss cantons (which have experimented with e-voting in various forms).

The results of these real-world experiments have been mixed. Pilot programs have generally functioned without major technical failures, but participation has been limited, costs have been higher than projected, and security experts have continued to raise concerns about the fundamental risks of internet-connected voting systems. Notably, MIT researchers published a detailed security analysis of the Voatz mobile voting platform used in several U.S. pilots, identifying multiple vulnerabilities including the potential for vote manipulation by the platform operator — precisely the centralization problem that blockchain was supposed to solve.

Questions for Analysis

  1. Council Member Park's original proposal listed five benefits. For each one, evaluate whether the benefit requires blockchain technology specifically, or whether it could be achieved through simpler technological means (e.g., an online voting portal without a blockchain, a paper ballot system with better logistics).

  2. The consulting firm presented three architectural options (public blockchain, permissioned blockchain, hybrid). For each option, identify the specific trust assumptions voters must make. Which trust assumptions are different from those in the current paper-ballot system? Which are the same?

  3. The secret ballot problem is perhaps the most fundamental tension in blockchain voting. A public ledger provides transparency; a secret ballot requires opacity. Can both be achieved simultaneously? Research zero-knowledge proofs (which will be covered in Chapter 14 of this textbook) and assess whether they offer a viable solution.

  4. If you were advising the Millbrook city council, what would you recommend? Specifically: Would you recommend any of the three options? Would you recommend a phased approach (starting with low-stakes votes like participatory budgeting before attempting to replace general elections)? Or would you recommend against blockchain voting entirely? Justify your recommendation with specific reference to the decision framework.

  5. The access argument cuts both ways: blockchain voting could increase access for some voters while creating barriers for others. Propose a design that addresses both physical-access and digital-access concerns. What compromises would this design require?