TL;DR: I'm proposing that the way we handle DPL elections today is a good start for what secret means. Holger asked what I meant by secret. He asked that in a thread discussing stuff related to the project secretary, and I didn't think an answer belonged there. So I'm starting a separate thread. As a reminder, this all comes out of GR 2021_002, where we had a fairly controversial statement with many ballot options. Several people raised the concern that they felt uncomfortable voting if their ballot choices were going to be up on the Internet for everyone to see. People were much more concerned about that than worried that the secretary might disclose their vote. I think the way we handle DPL elections is a good compromise between secrecy and accountability. (At least assuming that we do not retain the actual votes long term.) * The ballots are public, but the mapping from voters to ballot is not. * Voters get a hash sufficient to prove that their ballot is included in the totals. * The list of voters is public. Anyone can verify that the ballots correspond to the totals. Anyone can verify that their ballot was included in the totals. An attacker can mount a number of attacks on this system - They can include an extra vote. They need to add someone who would be a valid voter. They run the risk that person notices they were included even though they did not vote. - They can change a vote. They run the risk that voter will attempt to verify their vote and discover it is counted incorrectly. Assuming the secretary is well trusted, I think those attacks are acceptable residual risk from a security standpoint. If it were up to me, that's where I'd leave things. I might double check that we had a data retention policy and that the way we present hashes to people a voter can verify the hash includes their voter identity. But for my level of paranoia, I think the way we handle DPL elections is fairly good. Pierre-Elliott, who is another one of the drivers for the secret ballot work was interested in exploring other options, involving better cryptographic proof. The plan was to go put together a DEP on anonymous secret voting. I don't want to wait for that DEP, and I don't know how the discussions will conclude. I also don't think those details belong in the constitution. So, effectively, the proposal: 1) Removes the claim that what people vote for becomes public after the election 2) Leaves the specific voting mechanism up to the secretary (removing the strict requirement it happen via email) 3) Provides a way for the project to override the secretary if theiy disagree with the voting mechanism I proposed specific text for points 1-2 above back when this thread started. I proposed text for point 3 a couple weeks ago. My plan is to go refine the specific proposals based on comments on the list and publish things in the form of a diff to the constitution later today. If this proposal passes, Pierre-Elliott and others interested in more advanced secret voting schemes can work on that. If they convince the secretary, we can use those proposals. Kurt in particular has always saught input from the project, and I think would be good at judging consensus in a situation like that. I'd imagine any secretary who replaces Kurt would seek consensus on a big policy like that. And if somehow the project disagrees, we'd have recourse.
Attachment:
signature.asc
Description: PGP signature