I hope sede - secure democracy ( http://www.law4.org/sede ) will become part of the GNU collection of software, which was always its goal.
Hi Karl, Haven't heard from any decisions yet, so ... If I may: last time my project was reviewed by someone associated with GNU, they actually made a mistake about how it functions (Brave GNU World column). That mistake has never been rectified (though I asked for it). The matter of "e-voting" is too easily dismissed for reasons that do not apply to the system used by sede (voter-code voting). It is its 'own system,' having its own area of use. If any on topic debate is currently ongoing, perhaps it would be prudent if I could argue the case that it does work. At the moment I'm reading about a failed e-voting attempt, which uses an architecture not used by sede. http://www.bradblog.com/?p=8118 The BRAD BLOG : Iranian, Chinese Computers Also Discovered to Have Been Hacking D.C. Internet Voting System Perhaps it might shed more light to put the sede system up 'in theory' against their system. In the sede system, if used to its maximum extend of anonymity meaning randomized voter registrations, would (for example) mean (using a push-channel method) creating a number of envelopes N containing encryption keys and ballot location information. Say the ballots are to go to the soldiers stationed in Bagdad, Iraq. The ballot access channels could first be randomized (rotating bins for example, under public review), and then stacked to go to each city or base. Then when it arrives at those bases, that package could again be loaded in bins and be distributed at random to the soldiers. At this point there is a reasonable change that a significant number of these ballots has arrived at a soldier unknown to the voter-administration back in the USA. Now comes the point where sede can not even be used for national elections, because you can prove what you vote. However, that doesn't mean it isn't a voting system in its own right. To be able to prove what you vote is in one sense a weakness, but in another sense it is as strength. You can use it to give your vote-code to someone else, for example, and verify that they indeed vote the way you would like. It is a cultural assumption that too many people will sell their vote for money, causing corruption, an assumption which may be true. However that does not make that assumption true in every case where people might want to vote; both for Government representatives or for entirely different purposes and organizations. Thus, the soldiers at this point may decide to vote, they type in their login and they take off the server an encrypted ballot. Say the encryption is strong enough to withstand most attacks for up to 3 weeks of hard cracking (?). Since the vote closes after 2 weeks of the ballots - who where encrypted off line and only moved encrypted online - that does not attack the vote result by attackers who take over connections; but the system is even impervious for if they do succeed ... as the voter can later verify online their vote-code has been the chosen vote and is accurately tallied as such. So, the soldiers takes the encrypted ballot, puts it on an information carrier (say USB stick), then moves that into an offline computer and then decrypts the ballot, fills out the ballot, and encrpyts it again. He then puts the filled out ballot on the USB stick, and sends it over the established but anonymous connection to the USA vote administration. At this point the anonymity can be attacked by for example an electronic surveilance system and monitoring ballot sizes and so on. But that has to be done at the point where the ballots come off the Internet on the far end; thus this requires a relatively large surveilance organization and effort. Note that with such an effort no person could sneeze without a report being filed on it; and neither vote in anonymity in a paper polling booth either. The extend of such a surveilance makes it less likely it actually occurs (significantly). It would likely come out that there where attempts to break the vote. The vote administration then takes the received encrypted ballots offline, decrypts them, computes the results (runnig sede processall); and publishes all the votes along with their vote-code, and then tallies of the votes. Because soldiers could have used the time before the result has been posted to show others their vote-code, if they had done so then they could prove what they had voted. If they receive a signed ballot with their vote-code, they could also prove their vote-code after all vote-codes had been published (and hence become public knowledge making it harder to prove one owned one particular of them.) The comment feature on the vote makes it also easy to prove one owned one certain vote code. This is apparently taken as a problem by some people who do not see that such a system still works in its own ways, where such proof is not a problem and/or can be an asset. One would simply have to know that this is how it works, and whether therefore this tool applies to a certain requirenment. It does not fit the requirenment for national balloting which at the moment is geared toward a people who would happily sell away their vote for a few dollars (apparently), causing great corruption in the nation. But it could easily fit the requirenments of for example a Union full of active members, who want to vote on the wage demands for the next year. They will not sell their vote, and most of them at best show their code to a few close friends and many wouldn't even bother with that either. Then the result would end up published, and all the soldiers in Iraq could see whether the vote-code they got is actually tallied; and they have further security by watching their comments and screams and hugs they no doubt would like to pust as comments (at their own risk), making it certain in their mind (and actually certain) that what they are seeing is their and only their vote (because a code could have been given to others, too, and a yes/no vote for example is hardly a unique identifier.) Then, those soldiers who decided to sell their vote can prove to those they sold it to, that the vote-code had voted that way. I would like to point out that this is a rather theoretical issue, that it is also primarily a social ill of the very poor, and that ultimately people should own the backbone never to sell their soul like that. On the other hand, realizing that politics is corrupt all ways, then maybe by selling they may actually get more out of it - although i personally don't think that would often be the case. It is entirely possible that some day we have a people with which the power to prove your vote, but only if you decided to give that information, is not a problem but a benefit. Meanwhile in the real world away from the extremes of theoretical chances ... people using sede in organizations will rarely have any trouble with vote selling; and even often will be able to conduct voting without any form of security whatsoever, sending ballots over the Internet in plain text (since the voters can always later verify). Who will want to hack & crack all the myriad of tiny little votes that may go on ? Who has the time or interest to change a vote of a 30 person corporation on the color of their outfit ? Even if they succeed, the result would show the manipulation. The corporation can react by increasing their security for next time, and re-doing the previous vote(s). For larger votes that would be under attack, the primary assault would perhaps end up being a denail of services attack; since they can't crack the ballots in time, and can't ultimately control the presented end-result. If an attacker is able to control how the result is presented to everyone in Bagdad, showing a specific result to Bagdad that the soldiers there would recognize as 'ok, that is our votes tallied ok,' but then the totals have to match up too. You can do that, but if you want to manipulate votes then you would have to show a different result to the soldiers in say Afghanistan; so that the tallies would always be right. In the Afghan result you would change the Bagdad votes, and vice versa, so that the tallies are right. But such major manipulations are relatively easy to find out by even one person (by comparing the results shown with other shows of it.) Such an attack is so dangerous that it would probably rarely be attempted. Note that an election result including everything is basically on the record forever. Then of course there is the 'added votes' danger; but that is a danger which is reduced by the likelyhood of that amount of voters actually existing. For example if there are 80.000 soldiers in Baghad, and 55% vote, then you have 45% room to pretend votes; assuming those non-voters will not check that their vote-code did indeed not vote. Because if they do check their abstention as a real abstention, then that attack is also busted. Secondly, how likely is it then for example that 80% vote, rather then 55%. A few active people who do a number of spot independent checks to verify abstentions are real abstentions, that would probably go a long way in proving the result is accurate. So, that is the system proposed by this. But you can even get around the entire problem of being able to prove your vote code from the eventual publication: simply never publish it. If the vote-administration keeps the vote codes offline and only publishes the total tally, then it is more like a regular vote. However the voters loose the ability to verify that their vote was tallied correctly. Hence you pay heavy for more vote anonimity. Because the records could always later be released, you never know quite certainly that you can not prove your vote, ever. One might ask what the benefit is then to let Iraqi soldiers vote in such a combursome way. Indeed a very good question, it is most likely a lot cheapor to send over simple paper ballots. With all the encryption/decryption and pushing of communication channels needed, the whole affair would probably be a bit of a hassle, certainly if it isn't streamlined in software/hardware etc yet. On the other hand, once the communication channel is created, in theory a vote could be done in minutes, back & forth to the USA. I note that in Holland our Union already conducts votes in this way, using a vote-code which is never released. So that is already a real use for a sede system, but as far as I know they are using an unknown system for this, perhaps a few costum scripts. best regards, jos boersema http://www.law4.org ( ./sede ) PS I am having an entire revolution & law system on my site, for which Internet anonimity is vital to protect people who want to view it as much as possible from near term or immediate state tyrannies. The more anonymous the Internet, the better for sede and my attempts at this. Secondly, I have decided to boycot biometric passports. The Dutch government is now demanding you give our finger prints if you apply for a new passport ! I bought one at the last moment, and will not get a new one if it requires fingerprints. Hence, I have many reasons to be against biometric databases and the encroachment of a 'big brother' police state system; in fact against that threat is my entire website dedicated. PPS Talking of which, I hope you won't only considder sede, but also what I have proposed there (www.law4.org), particularly the national Constitution. -- _ _ /_\ _ _ http://www.Law4.org Free markets and democracy, \ /v`V^v\ / but now: properly. /_\_#_#_/_\ \ / Day 168 of the revolution. _______________________________________________ gnu-misc-discuss mailing list gnu-misc-discuss@gnu.org http://lists.gnu.org/mailman/listinfo/gnu-misc-discuss
