Spec for anonymous voting


During GUADEC, the point was mentioned that there was no-one working on anonymous voting, and no clear idea how to do it. Myself and Vincent Untz brainstormed for a while, and got input from a number of other people (crevette, Seth Nickell, Brian Clark, others that I have forgotten becase this was during the party Monday night).

To be clear, this is just a spec. I'm not going to implement it :) This is a call for comments and volunteers. We are not tied to this proposition. We're not even obliged to come up with a solution. If there is a free software system out there which handles this problem, I think we should use it. Reccommendations of systems which fit our needs are welcome.

Before you get started, one small last point: No public key cryptography for the members, please. Think usecase #3. We need a low barrier to entry.

Here's the main points to come out of the brainstorm.

Anonymous voting mini-spec

(comments needed, especially better counter-propositions)

Principle: We want people to be able to vote in Foundation elections, and have no link between the person's vote and their foundation membership details.

Use cases:

1. Harry Fowler, maintainer of gaggle, is a member of the foundation. He receives instructions on how to vote and follows them. After voting, because he's paranoid, he checks online using some kind of authentication that his vote has been taken into account and is correct.

2. Timmy Ballbuster, who joined the foundation in the days when slashdot comments saying "GNOME rules!" were good enough to get into the foundation, doesn't believe that the elections committee counted the votes right. He goes online after the election, and can see all of the votes cast. He then spends an entire Friday night doing his bit for the community counting how many votes his friend Jim, who was running on a platform of making module maintainers hang out all day on IRC so that they can get in touch with the users, got.

3. Harold Fowler Snr., Harry's dad, got involved in GNOME because his son kept installing it on the computer. Harold doesn't know how to use the command line, and wants to vote without having to do anything which is not available on a basic GNOME install. To make things even more complicated, Harry and Harold use the same email address, with different names.

4. Timmy was so busy getting upset about how the maintainers werre ignoring his demands to change the default theme that he accidentally deleted the instructions how to vote. He contacts the elections guys to ask for a new ballot.

5. Crazy Horse McMahon is running for the board, and wants to generate ballots for loads of people he knows won't vote, and won't check whether they voted, so that he can get elected and embezzle the foundation's bulging coffers. He knows how the election board generate ballots.

6. Ben Teller didn't vote, and wants to make sure that no-one voted in his place. After the election, he checks the list of voters that's published to make sure he's not on the list.

(with use-cases addressed in brackets)

The elections committee generates a unique token for each foundation member, and sends them an e-mail to their account with instructions how to vote [1].

The token is a hash of the (Firstname Surname email-address) combination which uniquely identifies a member [1,3].

The token/name pair is stored for reference by the elections committee.

The hash is then encrypted with the election committee private key, to prevent just anyone from generating a voting token, but to allow the election committee to generate one at will for a user [4,5].

A secure website is created where the voter enters their token into an entry box, and registers their vote [4]. The vote is stored, with the token entered. The name/token pair corresponding to the entered token is then deleted.

A form is created which allows anyone to enter their token, and find out whether they have voted yet [1]. In addition, after the election, all of the votes (along with the tokens) are published online for inspection [2].

The list of voters is generated after the election by taking the compliment of the name/token pairs left in the stored elections committee list [6].

Reasons why this proposition isn't ideal

 - Name/token pairs are stored (trusting the infrastructure)
 - E-mail to foundation members could be intercepted (trusting the medium)
- We trust the election committee not to generate tokens to vote for their buddies (trusting the people)


Dave Neary
bolsh gimp org
Lyon, France

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]