Re: RFC: anonymous voting system



Hi,

Le dimanche 25 septembre 2005 Ã 15:57 -0600, Andreas J. Guelzow a
Ãcrit :
On Sun, 2005-25-09 at 17:07 +0200, Vincent Untz wrote:
  + You'll need to trust people with access to the database/code since
    they can do a lot of bad things.
    => You already trust the membership & elections committee and the
       gnome.org admins, don't you? :-) More seriously, this is again
       something that is not different from the current system.

I would like to disagree. This is very different from the old system. In
the old system everybody was able and encouraged to check their votes
and see those of others so that little "trust" was needed. In that
system also everybody was able to see who did not vote. Under the new
system that privilege remains with only a few (whom we likely trust not
to abuse it). Nevertheless, this is significantly different from the old
system. 

In the new system, everybody is able and encouraged to check their votes
too: this is in fact the only use of the anonymous token. You can also
see the other votes but you don't know who has voted for who/what.
That's the only real difference. See for example:
http://vuntz.net/tmp/voting/votes.php?election_id=1

Another difference is that a few people *could* add an anonymous token
to the list of votes by modifying the database or the code.

Let's look at what we have now. The script that counts the vote uses the
list of current members and the archives of the vote mailing list (and a
secret string). The archives are patched to avoid some processing
problems. Our current system is already broken in some ways:

 + do you verify that the list of members is correct? I could add some
false members and vote multiple times if I wanted. I'm pretty sure no
one would notice. (I obviously never did that)

 + do you ask every member that his/her vote is correct? I could indeed
send a vote for a member who is likely to not vote (and thus likely to
not verify the results too), or modify a member's vote in the archives
patch, or something else like this. If someone notices a weird change in
the patch, I could argue it's a human error (it can happen, can't it?).
(I also never did that)

 + a sysadmin could remove a vote from the mailing list archives. (I
don't think it ever happened)

Now, let's step back a bit. We decided anonymous voting will be what
we'll do. With anonymous voting, you're not supposed to be able to
verify who voted for what/who (although you're able to see the votes).
We can make the list of people who voted public if you want this and if
everyone is okay. But I don't see how we can do better.

A question: what happens if one tries to vote and the token has already
been used (by somebody who intercepted the insecure mail). 

Then this person can not vote since the token has already been used. The
only solution to this problem would require some encryption somewhere.
We can request that every member has a PGP key for example. But I don't
believe this will happen until PGP is integrated in GNOME and usable
without technical knowledge.

Vincent

-- 
Les gens heureux ne sont pas pressÃs.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]