[pp.int.general] Agora Voting System for a Liquid Democracy at FOSDEM

Eduardo Robles Elvira edulix at gmail.com
Wed Jan 19 10:55:17 CET 2011 

On Wed, Jan 19, 2011 at 10:34 AM, Yves Quemener <quemener.yves at free.fr> wrote:
> On 01/19/2011 09:50 AM, Eduardo Robles Elvira wrote:
>>
>> Of course we are not going to do that directly: Partido de Internet
>> would need first to have at least one seat at parliament. But when the
>> system is ready and in the mean time, we can start using, testing and
>> improving its security.
>
> As enthusiast as I am about e-democracy, I think this is not the way to go.
> In my humble opinion you start by having a good security and then add some
> features. What is a debatable methodology in regular software development is
> a must-have for this kind of project for a simple reason : you do not want
> fraud, even in the first votes. Especially when you try to convince people
> that this is a viable alternative. Security is not a feature you can patch
> on later. Especially not cryptographic security.

I agree with you. You start with *very* good security: that is one of
the tenets in our system. This is not to say that you have to always
try to improve the security, which is what I meant.

>> There are cryptographic voting
>> protocols that even if all election administrators are corrupt, they
>> cannot convincingly fake a tally [1]. These are the kind of systems we
>> are going to use.
>
> Have you seen that in the scenario you propose, they trade privacy for vote
> integrity ? That is currently a big problem in online voting systems and an
> active field of research in cryptography. Currently you have to trade one
> for the other. From the article you link :

> "In cryptographic voting protocols, there is an inevitable
> compromise: unconditional integrity, or unconditional
> privacy. When every component is compromised, only
> one of those two properties can be preserved. In this
> work, we hold the opinion that the more important prop-
> erty, the one that gets people’s attention when they under-
> stand open-audit voting, is unconditional integrity: even
> if all election administrators are corrupt, they cannot con-
> vincingly fake a tally. With this design decision made,
> privacy is then ensured by recruiting enough trustees and
> hoping that a minimal subset of them will remain honest."
>
> All the online voting systems that work (like the debian voting system)
> completely drop the privacy exigence in order to have absolute vote
> integrity and no trust given on third parties. I think that this question is
> serious enough to be considered.


I know that, I've been studying this topic for a while. There is no
way you can have both things at the same time. In current voting
system, you have to also trust the voting system integrity (watch the
TED talk referred by Rodrigo in this thread). The good thing about the
kind of cryptographic systems like the one used in Helios Voting is
that you can have with reasonably good expectations both things,
because you setup a wide list of election administrators that would
need all to be corrupt for decrypting a single vote.

> And I am not even talking about deniability (the fact that you could be
> threatened into revealing your encryption keys in order to check that you
> voted "correctly")
>
> If you want a trustable e-voting system, you have to either propose a way to
> create a third-party that every voter can trust, or you have to convince
> voters that privacy of vote is not necessary. I mean, that is possible.
> Deputies and senators don't have secrecy of vote, in some swiss cities they
> use hand-voting, and signing a petition is the opposite of secret voting.
> That is a defensible point of view but you have to make it clear from the
> start.

OR you have a wide range of third parties with different interests
that no one will think that they will be able to all agree to corrupt
a voting together. Different organizations and political parties
working together. This would be like voting observers, but they do not
only observe but participate in the anonimization process of the
mixnet based voting system.

>> If we want to have a better control of the
>> voting environment we could for example only allow voting in computers
>> specially set up in Partido de Internet's local offices and using a
>> secure GNU/Linux live cd created for this purpose.
>
> But people would have to trust Partido de Internet for not installing
> fraudulent software. Why would they trust it ?

The livecd wouldbe 100% free software. Check the software source code
if you want. Then bring your own CD, we do a check sum or similar to
be sure that CD is correct, then you can use it.

Regards,
     Eduardo.

More information about the pp.international.general mailing list