A solution for decentralized, verified and anonymous online
voting
The technical context - a general solution for decentralized
official user authentication and petitions
The trust-forum project starts
with a decentralized user authentication system. It is based on a
decentralized network of thousands of independent servers, each
server hosting hundreds or thousands of accounts, where each user
was free to choose the host where he registered his account, and to
move his account to another host if he is not satisfied with it.
No matter if the method to first log in a user to one site is kept
or changed, the point is that, once logged in to his main account
(where he chose to register), a user will then be automatically (in
1 click) authenticated to any other site he needs. So I envision a
multiplicity of independent sites which can host accounts of users,
from which they can still connect to other services and users hosted
elsewhere. This way can provide a global structure of Internet,
helping freedom on a worldwide scale, and successfully handle a
diversity of problems that do not require to discern nationality,
nor to count the number of people to set a rule of "1 person = 1
voice" (as I see many uses, even political ones, that are not a
matter of vote and thus do not require such verification).
Now, this latter problem can also be handled as follows: instead of
having one unique login platform for the whole country, every
citizen can officially declare which is his online identity under
which he will do his "official" operations. This list being public,
any site that requires the official authentication of a citizen,
when getting an authentication request under some online identity,
can obviously check by the list that this identity is the one of a
specific citizen (and also, that any 2 such identities are those of
2 different citizens). This way any user can keep his authentication
made by his general user account at his host in which he can also do
anonymous (but still trusted) operations, with no need to request
any central state authentication system each time he wants to make
an official operation.
Voting procedure to ensure verifiability with privacy
Here is an idea I had on how to combine verifiability and privacy
(anonymity).
I do not know if it has already been considered (I did not read the
litterature on the subject)
It will combine most qualities generally expected from voting
systems (except one but that is probably impossible to satisfy for
online voting : preventing the risk of buying a given person's vote,
or forcing him to make a given vote, by an explict threat or request
to him, to which he would actively comply by providing a proof of
his compliance).
Here is the method, to implement in the new framework of the
trust-forum project, but it does not even need remote authentication
of the user to the central server of the vote; local authentication
at his host suffices.
- The list of all authorized voters is published, every one
identified by his online identity (that looks like an email
address, which specifies where each voter's account is hosted).
Thus the total number of voters is known
- The server that centrally organizes the vote, "releases the
ballots" as follows: ballots are just all numbers ranging from 1
to the total number of authorized voters. It secretly makes a
random distribution of the ballots to the hosts of user
accounts. To each host he secretly provides a signed document
specifying the list of ballots provided to this host, as many as
there are voters whose accounts are hosted there.
- Each host operates a random distribution of the received
ballots among its users
- When a user logs in and wants to vote, first of all the ballot
number attributed to him is displayed on the screen ; he is
invited to copy this number to a piece of paper
- The user is invited to vote, by typing
- His arbirary choice of a verification number from 0 to 9,
that he should also write on his piece of paper, to be sure
to remember
- His choice (content of the vote)
- After voting and confirming, he can download a file of
document signed by his host, which says "I, as the intermediate
host giving the ballot number *** to one of my users, certify
that the content of the choice and the verification number, put
on this ballot, are ***". The host also keeps a copy of this
document which is provided to the user.
- The user can immediately check this document by some local
program in his computer. If this verification fails, before the deadline of vote, the user can
follow the below procedure for voting at another host instead
- At the voting deadline, each host privately communicates the
contents of its filled ballots to the site that organizes the
vote, with all their respective certificates; the central
organizer checks these certificates. Or, if checking millions of
signed ballots is a too heavy task for 1 machine, this can be
replaced by a global signature given by each host on its whole
list of ballots.
- Each host deletes its internal information of the
correspondence between its filled ballots and its users, but
only remembers who voted, and who abstained.
- The central organizer, publishes the full list of all ballots
: this list shows, for each ballot, which verification number
and which chosen content was given to it, if it was used ; or if
this ballot was left blank (the voter abstained).
- The hosts of users accounts are responsible for automatically
verifying the correct publication of the data they provided: if
a host noticed any contradiction between the data it
communicated to the central organizer about its ballots and the
published contents about the same ballots, then
- It should request some independent litigation site, to which
it will provide:
- The certificate of the list of ballots it had initially
got from the central organizer, thus proving that it
actually had the right to attribute this ballot to one of
its users.
- Its own certificate of the content of the ballot chosen by
the user
- After checking these certificates as valid, the litigation
site requests the central organizer and sends to it a copy of
the certificate from the host, in contradiction with the
published result of the vote
- To defend itself, while it cannot deny having attributed
this ballot to this host, the central organizer should provide
the certificate it initially received from that same host that
gave a different content to that ballot
- If it successfully provides this certificate, thus giving
2 certificates from the same host contradicting each other
about the contents of the same ballot, then these 2
certificates are published (either by the central organizer
or by the litigation site) and the host that signed these
certificates is proven to be at fault
- If the central organizer cannot provide this certificate,
then it is itself proven to be at fault, as it published a
content for this ballot without proper certification by the
host of the user to which the ballot was attributed (uh, can
it remain silent and then deny having received that request
?)
- (Probably useless : each host publishes the information
of how many of its own users voted, and how many abstained, so
everyone can check that the number of filled ballots contained
in this list, fits with the sum of all counts of used ballots
publicly declared by all hosts - any discrepancy detectable
here would also probably be detected in other ways)
- Everyone can check in the list that his ballot is correctly
marked with his chosen verification number and content of vote;
this proves that this ballot was filled by him and only him, and
that no hidden system could have guessed several people's
choices and given the same ballot to people with the same
opinion to count their plurality of voices as only one voice,
and provide false information on the rest of ballots
instead, because even if different people with the same opinion
received the same ballot, they could not be expected to give to
this ballot the same verification number ; as the verification
number associated to this ballot is made public as a unique
number, the fraud would most probably be visible by one of these
voters, who would notice that the published verification number
associated to his ballot is not the one he chose.
- It is even possible to automatically discover the very
unlikely case of try by the central organizer to give one same
ballot to 2 hosts (in order to give arbitrary contents to the
unused ballot) that the above procedure would keep undetected if
by chance they were received by 2 abstentionists (namely, in
case of a vote that only few people may be interested to
participate in), by letting the hosts automatically provide
random abstentionist verification numbers to these ballots (but
even without this, the verification would ultimately come at the
end by the procedure of counting abstentionists, see below)
- If a user notices that his vote is not correctly included in
the public list, while this contradiction was not already
processed by his own host as described above, then it makes him
in conflit against his own host (well, the first and most
trivial possibility of conflict is if his site did not provide
him the opportunity to vote or did not provide a valid
certificate of vote in the first place, and all the rest is just
a delayed version of that same risk, with the difference that if
the trouble was visible before deadline, the user could change
host to still vote before deadline):
- He makes a complaint by anonymously sending his file of
certified ballot, to any independent web site of vote
litigation processing
- The litigation processing site checks the signature of this
document and the contradiction between what it says about this
ballot (verification number and content of vote) and the data
associated to that ballot in the published list of all ballots
- As the contradiction is noticed, the host that signed the
document is requested to confirm or infirm that it really
provided this certificate (it would be hard to deny, as it
would be hard for someone to forge such a signed document,
but...).
- If the host denies having made this certificate and claims
that it was forged, then what will the rest of the world
think ? Hard to believe as it was hard to make, but at
least, if the user is honest while the host wrongly pretends
that the certificate was forged, then the user will know
that the host of his account betrayed him, so he will leave
it for another host and tell his friends to do the same.
- If the host of the user account wants to confirm having
made this certificate, it should privately send to the
litigation processing site, the signed document it had
initially got from the central organizer of the vote, proof
of having actually received the right to attribute this
ballot to one of its users, and things can continue as
previously described, but why did the host wait for that
request and did not already automatically follow that
process as it should just after the publication of voting
results ?
The last problem is to prove that every host correctly published the
true number of voters, and did not commit any ballot stuffing by
pretending to have had more voters (i.e. fewer abstentions) than the
true number. Namely, abstentionists registered at each host need to
be able to count their number, and check that they are no more
numerous than the host says - anonymously, even if they don't know
each other, don't want to tell each other who they are, and even if some of them died in between. Yes. We need
this, and it can be done. Here is how:
- After the closing of the vote, and for a period of (for
example) one more week, the opportunity is given to the
abstentionists who are still alive and who don't want to be
publicly known as abstentionists, to protect their anonymity as
abstentionists by participating in an "after-vote" that follows
the exact same procedure as the above procedure of vote, using
the remaining ballots that were already distributed to the
respective hosts and not yet filled, with the only difference
that they only give their ballot a verification number, with no
more content
- Together with the publication of that list of after-ballots
with their verification numbers, the list of all identities of
people who "still abstained", i.e. still did not participate in
that after-vote, is published too. Thus, anyone who knows
someone who was registered voter but did not or could not vote,
maybe because he died, can check that the name of this person is
indeed in the publicly declared list of abstentionists and thus
that nobody stole his ballot.
How to avoid buying votes
Once voted, instead of getting only the certificate for his own
ballot, the user can receive several certificates for different
ballots filled by other people, that express different choices.
(Say, it cannot immediately provide a certificate to the first
voter, but waits to have hopefully got several votes expressing
different choices for starting providing certificates). Thus, the
ability for a user to provide to someone else a certificate for one
ballot, does not prove to the other person that this is the
certificate for his own vote; only he knows which of the
certificates gives the proof of his own vote, as it is the one that
carries his ballot number which he previously copied on a piece of
paper.
A possible loophole in this scenario is if the vote buyer says "Make
vote X with verification number Y" so that the user has little
chance to have got such a certificate if he did not cast this vote
himself.
To try to prevent this, we can consider having a smaller range of
allowed verification numbers, say from 1 to 4, and a user can make a
request to his site: "Can you give me any certificate of a vote cast
for choice X and with verification number Y ?" which is not always
possible, but as it may sometimes happen, the vote buyer loses
certainty of having really made the person cast the vote he wants ;
he may notice to have been fooled if several vote sellers send him
the same certificate but he cannot know who fooled him.
We can imagine more complicated methods how can vote buyers try to
buy votes, and methods to prevent them ; but the more complicated it
is to buy votes, the less likely it is to be operated at any
significant scale. Anyway, there can always be a heavy method of
selling your vote, that is by filming yourself following whatever
voting procedure there is, and sending this film to the buyer; this
might still not be an absolute proof as the film might have been
edited...
More options
The above scenario might be considered as not offering sufficient
anonymity protection. On the one hand, it assumes that every user
having freely chosen the host of his account, trusts this host for
protecting the confidentiality of his vote, and that this trust will
not be betrayed. On the other hand, there may be hosts with too few
user accounts, or politically oriented hosts whose users often have
the same opinions, making the very fact for a person to have his
account at a specific host, already revealing of his choice of vote.
These possible problems have natural solutions in the form of a
diversity of options how each user will participate in the vote.
This diversity of possible participation methods to the votes, is
just the same as the generally available diversity of participation
methods to any other social web application in the framework of the
Trust-forum network, thus making this case of the online voting
problem, a typical example of some aspects of how the Trust-forum
network generally aims to work.
Here are these options:
- Before the vote, the user U@A can have declared that he will
use another online identity at another host, V@B, to participate
in the vote. This declaration is displayed, thus before the time
of vote, in the public list of voters. To be sure that this
decision is not done by any hacker against his will, the host A
will display a reminder to this user on his main board every
time he logs in to his account; thus if any hacker had done it
instead of him, then anyway the user will notice it early enough
and have the opportunity to cancel this sort of theft of voting
card in a few clicks. Then during the time of vote, the user
needs to authenticate as V@B, either by remote authentication in
one click from his account U@A, or directly by a different
login/pass, or even by the succession of both of these security
measures. This way, host A no more has the material possibility
to know the content of the user's vote; only host B has this
possibility; the central organizer will receive this ballot
filled by host B instead of host A, so that this vote is
contained in the pack of all people voting through B, not
through A.
- Another method is to let the user U@A vote by remote
authentication from host A directly at the web site of the
central organizer, under the pseudo "ballot1234@A" where
"ballot1234" is to be replaced by the ballot number that was
attributed to the user in the way previously described. In this
method, we may still see a risk of breach of privacy by the fact
the central organizer sees for each ballot number operated with
this method (that is related with content of vote and that the
central organizer can relate with user's host), what is the user
IP address and his time of vote, which might reveal his
identity. This risk of privacy breech can be (relatively)
answered by the user connecting from some anonymous public place
(an internet cafe...), or through a proxy (by the way, in
previous alternative, B already plays this role of proxy,
somehow).
How can a user change host during the time
of vote
May it be because the host is down, or the user lost access to
his account, or the user could not get a valid certificate for his
vote, or he already sold his vote and wants to cancel the effect, or
any other justified or unjustified reason. Unless there
is a good reason for most users of a given host to agree using a
common new host in replacement of the defected one, they will have
to make their own choices of where to move among existing hosts.
So for this case:
- He must request this move and prove his identity to the voting
organizer (or some other authority);
- He chooses some other host B that still has unused ballots
(whose number was not seen by a user yet) among those that were
initially attributed to it.
- This move is publicly declared (the true identity of the
person that moves is public; not sure if it is useful to declare
which host B he chooses to move to - maybe, there was not even a need in the first place, to make it public which host a user chooses to vote, only the central organizer needs to know);
- Previous host must tell (before or while sending his own pack
of voting results to the voting organizer at the end) which
ballot number was initially attributed to the user that left and
is cancelled instead
- New ballot number is created and attributed to B because of
this user
- User can vote at B using a ballot number [most probably] among
those that were initially attributed to B and still unused; the
new ballot number is available [with a more significant
probability of attribution] to the users of B that were
previously registered at B and did not vote yet.
(Not sure if it there is any advantage or inconvenient in having
a "compact" global list of ballots, i.e of all numbers no greater
than the total number of voters, rather than a "spaced" one with a
hidden list of random unattributed ballots available for those who
would move in between, and that would only be publicly known as
unattributed during the final public release of voting results.)
And what about people not familiar with computers, that have no
internet at home and even no online identity ?
Simple : concrete voting offices can still be used in guise of hosts
among others (some hosts would be web hosts as described above,
other "hosts" would be voting offices). The voting office can
contain a box of ballots, inside which each voter puts his hand to
take one envelop at random containing a paper ballot, discover on
the paper what is his ballot number, that he can take with him after
voting...
What content of the vote can bring meaningful result
For votes of the type "Choosing the best candidate for everybody
from a list" (when there are more than 2 candidates), there is the
usual problem how to ensure that people really express their
intention and avoid the bias of "useful strategic voting"
depending on possibly false rumors of who may have better chances
of success. For this I think the right solution is the Condorcet
method.
Back to main page : infoliberalism