[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Secret Ballots: How Secret

TL;DR: I'm proposing that  the way we handle DPL elections today is a
good start for what secret means.

Holger asked what I meant by secret.
He asked that in a thread discussing stuff related to the project
secretary, and I didn't think an answer belonged there.
So I'm starting a separate thread.

As a reminder, this all comes out of  GR 2021_002, where we had a fairly
controversial statement with many ballot options.
Several people raised the concern that they felt uncomfortable voting if
their ballot choices were going to be up on the Internet for everyone to

People were much more concerned about that than worried that the
secretary might disclose their vote.

I think the way we handle DPL elections  is a good compromise between
secrecy and accountability.  (At least assuming that we do not retain
the actual votes long term.)

* The ballots are public, but the mapping from voters to ballot is not.

* Voters get a hash sufficient to prove that their ballot is included in
  the totals.

* The list of voters is public.

Anyone can verify that the ballots correspond to the totals.
Anyone can verify that their ballot was included in the totals.

An attacker can mount a number of attacks on this system

- They can include an extra vote.  They need to add someone who would be
  a valid voter.  They run the risk that person notices they were
  included even though they did not vote.

- They can change a vote.  They run the risk that voter will attempt to
  verify their vote and discover it is counted incorrectly.

Assuming the secretary is well trusted, I think those attacks are
acceptable residual risk from a security standpoint.

If it were up to me, that's where I'd leave things.  I might double
check that we had a data retention policy and that the way we present
hashes to people a voter can verify the hash includes their voter
But for my level of paranoia, I think the way we handle DPL elections is
fairly good.

Pierre-Elliott, who is another one of the drivers for the secret ballot
work was interested in exploring other options, involving better
cryptographic proof.
The plan was to go put together a DEP on anonymous secret voting.

I don't want to wait for that DEP, and I don't know how the discussions
will conclude.

I also don't think those details belong in the constitution.

So, effectively, the proposal:

1) Removes the claim that what people vote for becomes public after the

2) Leaves the specific voting mechanism up to the secretary (removing
the strict requirement it happen via email)

3) Provides a way for the project to override the secretary if theiy
disagree with the voting mechanism

I proposed specific text for points 1-2 above back  when this thread
I proposed text for point 3 a couple weeks ago.

My plan is to go refine the specific proposals based on comments on the
list and publish things in the form of a diff to the constitution later

If this proposal passes, Pierre-Elliott and others interested in more
advanced secret voting schemes can work on that.  If they convince the
secretary, we can use those proposals.  Kurt in particular has always
saught input from the project, and I think would be good at judging
consensus in a situation like that.  I'd imagine any secretary who
replaces Kurt would seek consensus on a big policy like that.  And if
somehow the project disagrees, we'd have recourse.

Attachment: signature.asc
Description: PGP signature

Reply to: