Spec for anonymous voting

From: David Neary <dneary free fr>
To: foundation-list gnome org
Cc: elections gnome org
Subject: Spec for anonymous voting
Date: Wed, 01 Jun 2005 20:38:11 +0200

Hi,

During GUADEC, the point was mentioned that there was no-one working onanonymous voting, and no clear idea how to do it. Myself and VincentUntz brainstormed for a while, and got input from a number of otherpeople (crevette, Seth Nickell, Brian Clark, others that I haveforgotten becase this was during the party Monday night).

To be clear, this is just a spec. I'm not going to implement it :) Thisis a call for comments and volunteers. We are not tied to thisproposition. We're not even obliged to come up with a solution. If thereis a free software system out there which handles this problem, I thinkwe should use it. Reccommendations of systems which fit our needs arewelcome.

Before you get started, one small last point: No public key cryptographyfor the members, please. Think usecase #3. We need a low barrier to entry.


Here's the main points to come out of the brainstorm.

Anonymous voting mini-spec
==========================

(comments needed, especially better counter-propositions)

Principle: We want people to be able to vote in Foundation elections,and have no link between the person's vote and their foundationmembership details.


Use cases:

1. Harry Fowler, maintainer of gaggle, is a member of the foundation. Hereceives instructions on how to vote and follows them. After voting,because he's paranoid, he checks online using some kind ofauthentication that his vote has been taken into account and is correct.

2. Timmy Ballbuster, who joined the foundation in the days when slashdotcomments saying "GNOME rules!" were good enough to get into thefoundation, doesn't believe that the elections committee counted thevotes right. He goes online after the election, and can see all of thevotes cast. He then spends an entire Friday night doing his bit for thecommunity counting how many votes his friend Jim, who was running on aplatform of making module maintainers hang out all day on IRC so thatthey can get in touch with the users, got.

3. Harold Fowler Snr., Harry's dad, got involved in GNOME because hisson kept installing it on the computer. Harold doesn't know how to usethe command line, and wants to vote without having to do anything whichis not available on a basic GNOME install. To make things even morecomplicated, Harry and Harold use the same email address, with differentnames.

4. Timmy was so busy getting upset about how the maintainers werreignoring his demands to change the default theme that he accidentallydeleted the instructions how to vote. He contacts the elections guys toask for a new ballot.

5. Crazy Horse McMahon is running for the board, and wants to generateballots for loads of people he knows won't vote, and won't check whetherthey voted, so that he can get elected and embezzle the foundation'sbulging coffers. He knows how the election board generate ballots.

6. Ben Teller didn't vote, and wants to make sure that no-one voted inhis place. After the election, he checks the list of voters that'spublished to make sure he's not on the list.


Proposition
===========
(with use-cases addressed in brackets)

The elections committee generates a unique token for each foundationmember, and sends them an e-mail to their account with instructions howto vote [1].

The token is a hash of the (Firstname Surname email-address) combinationwhich uniquely identifies a member [1,3].


The token/name pair is stored for reference by the elections committee.

The hash is then encrypted with the election committee private key, toprevent just anyone from generating a voting token, but to allow theelection committee to generate one at will for a user [4,5].

A secure website is created where the voter enters their token into anentry box, and registers their vote [4]. The vote is stored, with thetoken entered. The name/token pair corresponding to the entered token isthen deleted.

A form is created which allows anyone to enter their token, and find outwhether they have voted yet [1]. In addition, after the election, all ofthe votes (along with the tokens) are published online for inspection [2].

The list of voters is generated after the election by taking thecompliment of the name/token pairs left in the stored electionscommittee list [6].


Reasons why this proposition isn't ideal
========================================

 - Name/token pairs are stored (trusting the infrastructure)
 - E-mail to foundation members could be intercepted (trusting the medium)

- We trust the election committee not to generate tokens to vote fortheir buddies (trusting the people)



Cheers,
Dave.


--
Dave Neary
bolsh gimp org
Lyon, France

Follow-Ups:
- Re: Spec for anonymous voting
  - From: Vincent Untz
- Re: Spec for anonymous voting
  - From: Ross Golder
- Re: Spec for anonymous voting
  - From: Davyd Madeley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]