Spec for anonymous voting
- From: David Neary <dneary free fr>
- To: foundation-list gnome org
- Cc: elections gnome org
- Subject: Spec for anonymous voting
- Date: Wed, 01 Jun 2005 20:38:11 +0200
Hi,
During GUADEC, the point was mentioned that there was no-one working on
anonymous voting, and no clear idea how to do it. Myself and Vincent
Untz brainstormed for a while, and got input from a number of other
people (crevette, Seth Nickell, Brian Clark, others that I have
forgotten becase this was during the party Monday night).
To be clear, this is just a spec. I'm not going to implement it :) This
is a call for comments and volunteers. We are not tied to this
proposition. We're not even obliged to come up with a solution. If there
is a free software system out there which handles this problem, I think
we should use it. Reccommendations of systems which fit our needs are
welcome.
Before you get started, one small last point: No public key cryptography
for the members, please. Think usecase #3. We need a low barrier to entry.
Here's the main points to come out of the brainstorm.
Anonymous voting mini-spec
==========================
(comments needed, especially better counter-propositions)
Principle: We want people to be able to vote in Foundation elections,
and have no link between the person's vote and their foundation
membership details.
Use cases:
1. Harry Fowler, maintainer of gaggle, is a member of the foundation. He
receives instructions on how to vote and follows them. After voting,
because he's paranoid, he checks online using some kind of
authentication that his vote has been taken into account and is correct.
2. Timmy Ballbuster, who joined the foundation in the days when slashdot
comments saying "GNOME rules!" were good enough to get into the
foundation, doesn't believe that the elections committee counted the
votes right. He goes online after the election, and can see all of the
votes cast. He then spends an entire Friday night doing his bit for the
community counting how many votes his friend Jim, who was running on a
platform of making module maintainers hang out all day on IRC so that
they can get in touch with the users, got.
3. Harold Fowler Snr., Harry's dad, got involved in GNOME because his
son kept installing it on the computer. Harold doesn't know how to use
the command line, and wants to vote without having to do anything which
is not available on a basic GNOME install. To make things even more
complicated, Harry and Harold use the same email address, with different
names.
4. Timmy was so busy getting upset about how the maintainers werre
ignoring his demands to change the default theme that he accidentally
deleted the instructions how to vote. He contacts the elections guys to
ask for a new ballot.
5. Crazy Horse McMahon is running for the board, and wants to generate
ballots for loads of people he knows won't vote, and won't check whether
they voted, so that he can get elected and embezzle the foundation's
bulging coffers. He knows how the election board generate ballots.
6. Ben Teller didn't vote, and wants to make sure that no-one voted in
his place. After the election, he checks the list of voters that's
published to make sure he's not on the list.
Proposition
===========
(with use-cases addressed in brackets)
The elections committee generates a unique token for each foundation
member, and sends them an e-mail to their account with instructions how
to vote [1].
The token is a hash of the (Firstname Surname email-address) combination
which uniquely identifies a member [1,3].
The token/name pair is stored for reference by the elections committee.
The hash is then encrypted with the election committee private key, to
prevent just anyone from generating a voting token, but to allow the
election committee to generate one at will for a user [4,5].
A secure website is created where the voter enters their token into an
entry box, and registers their vote [4]. The vote is stored, with the
token entered. The name/token pair corresponding to the entered token is
then deleted.
A form is created which allows anyone to enter their token, and find out
whether they have voted yet [1]. In addition, after the election, all of
the votes (along with the tokens) are published online for inspection [2].
The list of voters is generated after the election by taking the
compliment of the name/token pairs left in the stored elections
committee list [6].
Reasons why this proposition isn't ideal
========================================
- Name/token pairs are stored (trusting the infrastructure)
- E-mail to foundation members could be intercepted (trusting the medium)
- We trust the election committee not to generate tokens to vote for
their buddies (trusting the people)
Cheers,
Dave.
--
Dave Neary
bolsh gimp org
Lyon, France
[Date Prev][
Date Next] [Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]