[pp.int.general] Agora Voting System for a Liquid Democracy at FOSDEM

Wed Jan 19 10:34:48 CET 2011

On 01/19/2011 09:50 AM, Eduardo Robles Elvira wrote:
> Of course we are not going to do that directly: Partido de Internet
> would need first to have at least one seat at parliament. But when the
> system is ready and in the mean time, we can start using, testing and
> improving its security.

As enthusiast as I am about e-democracy, I think this is not the way to 
go. In my humble opinion you start by having a good security and then 
add some features. What is a debatable methodology in regular software 
development is a must-have for this kind of project for a simple reason 
: you do not want fraud, even in the first votes. Especially when you 
try to convince people that this is a viable alternative. Security is 
not a feature you can patch on later. Especially not cryptographic security.

 > There are cryptographic voting
 > protocols that even if all election administrators are corrupt, they
 > cannot convincingly fake a tally [1]. These are the kind of systems we
 > are going to use.

Have you seen that in the scenario you propose, they trade privacy for 
vote integrity ? That is currently a big problem in online voting 
systems and an active field of research in cryptography. Currently you 
have to trade one for the other. From the article you link :

"In cryptographic voting protocols, there is an inevitable
compromise: unconditional integrity, or unconditional
privacy. When every component is compromised, only
one of those two properties can be preserved. In this
work, we hold the opinion that the more important prop-
erty, the one that gets people’s attention when they under-
stand open-audit voting, is unconditional integrity: even
if all election administrators are corrupt, they cannot con-
vincingly fake a tally. With this design decision made,
privacy is then ensured by recruiting enough trustees and
hoping that a minimal subset of them will remain honest."

All the online voting systems that work (like the debian voting system) 
completely drop the privacy exigence in order to have absolute vote 
integrity and no trust given on third parties. I think that this 
question is serious enough to be considered.

And I am not even talking about deniability (the fact that you could be 
threatened into revealing your encryption keys in order to check that 
you voted "correctly")

If you want a trustable e-voting system, you have to either propose a 
way to create a third-party that every voter can trust, or you have to 
convince voters that privacy of vote is not necessary. I mean, that is 
possible. Deputies and senators don't have secrecy of vote, in some 
swiss cities they use hand-voting, and signing a petition is the 
opposite of secret voting. That is a defensible point of view but you 
have to make it clear from the start.

> If we want to have a better control of the
> voting environment we could for example only allow voting in computers
> specially set up in Partido de Internet's local offices and using a
> secure GNU/Linux live cd created for this purpose.

But people would have to trust Partido de Internet for not installing 
fraudulent software. Why would they trust it ?