Hi,
Norbert Thiebaud wrote:
I strongly suggest we simply copy the GNOME process here; this
generates a unique random key per person which is mailed out, and used
instead of a name when voting; thus the voting record can be published,
and independently analysed while keeping it anonymous (outside of the MC
that is).
Just to make sure I understand it correctly:
it is 'anonymous' but each voter know _his_ anonymous token and
therefore can verify that his vote has been recorded accurately, by
cross-checking the published details-values right?
I can explain the mechanism.
Before the election, a unique token is generated for every voter, and
stored with their email address. This token is mailed out to the voter.
Obviously, since these are stored together, there is no anonymity at
this point.
When I vote, I use my email address and this token to authenticate. Then
I'm brought to a page where I can order the candidates in order of
preference.
On successfully voting, a unique anonymous token is created, and stored
in an anonymous token table. This token is used (along with a
preference) to identify which candidates I voted for, and in what order.
The temporary token associated with the email address is at this point
deleted, leaving no way to connect the email address to the anon token.
Then we communicate the anonymous token to the voter, and tell him to
write it down somewhere so that he can check his vote later.
At the end of the election, this does leave us some standard election
type stuff you can do:
* we can tell whether someone has voted or not (but not how they voted)
by checking the temporary auth tokens still left in the database.
* We can publish the ballots, identified by the anon token, so anyone
can check the results, and check their own ballot, but not how others voted.
and that is the basis of the temper proof mechanism.
Yes, basically.
There are of course security weak-points here. The first and weakest is
the voter's email client: if I gain access to the voter mail, I can vote
in the place of someone using their email & token. The second is the
database itself: if I can get access to the authentication tokens and
the electorate, I can vote for anyone at all.
In principle, we can address the first with gpg, but not everyone
uploads a pgp key. The latter implies trusting the administrators of the
system to be honest. There are ways to encrypt the entire chain with
private key cryptography, but for us that would have complicated the
voting process for a substantial number of people, and been overkill.
It is incumbent on each member to make sure that he received his token
and that is vote is correctly counted.
Yes - we can of course resend tokens, and we announce the tokens have
been sent publicly. Until someone votes, we can get & resend the
temporary token easily.
(that his make sure that his
email didn't get intercepted somehow, or that the MC did not received
a spoofed email).
Yes, this is the weak point, as I said. pgp signed proves providence,
but doesn't prevent interception. pgp encryption would do the latter,
but not the former.
I think that pgp/gpg-signing these email would remove some possibility
to interfere with the process.
You would also need to pgp encrypt the temporary token with the voter's
public key to ensure that the election administrator can't vote on
behalf of people.
OpenSTV is GPL, but only available for download for a fee.
Really? News to me! It wasn't up until OpenSTV 1.6. I'd be happy to
share my copy with anyone who needs it.
Ooh: I just saw this on the openstv blog: http://www.openstv.org/node/133
If you have <=10 candidates and <=1000 voters, you can do the voting
online, with hosted OpenSTV.
It would be nice to find a way for anyone, or at the very least for
Members, to be able to use the raw result and re-calculate the result
for themselves...
Why not buy one copy of the source code and share it among OOo members
who don't want to pay $5 to Jeff?
PS: Not that I am overly concerned about election tempering... but as
Funny - I *just* realised that you meant "tamper" - I honestly thoughht
you wanted to "temper" (ie harden) the process. Sorry - that just amused
me - not picking on your grammar or anything.
Cheers,
Dave.