sede - secure democracy

[J.H.Boersema]

I hope sede - secure democracy ( http://www.law4.org/sede )
will become part of the GNU collection of software, which was
always its goal.

Hi Karl,

Haven't heard from any decisions yet, so ...
If I may: last time my project was reviewed by someone
associated with GNU, they actually made a mistake about
how it functions (Brave GNU World column). That mistake
has never been rectified (though I asked for it). The
matter of "e-voting" is too easily dismissed for reasons
that do not apply to the system used by sede (voter-code
voting). It is its 'own system,' having its own area of
use.

If any on topic debate is currently ongoing, perhaps it
would be prudent if I could argue the case that it does
work.

At the moment I'm reading about a failed e-voting attempt,
which uses an architecture not used by sede.

http://www.bradblog.com/?p=8118
The BRAD BLOG :  Iranian, Chinese Computers Also Discovered to Have
Been Hacking D.C. Internet Voting System

Perhaps it might shed more light to put the sede system
up 'in theory' against their system.

In the sede system, if used to its maximum extend of
anonymity meaning randomized voter registrations, would
(for example) mean (using a push-channel method) creating
a number of envelopes N containing encryption keys and
ballot location information. Say the ballots are to go
to the soldiers stationed in Bagdad, Iraq. The ballot
access channels could first be randomized (rotating bins 
for example, under public review), and then stacked to
go to each city or base. Then when it arrives at those
bases, that package could again be loaded in bins and
be distributed at random to the soldiers.

At this point there is a reasonable change that a significant
number of these ballots has arrived at a soldier unknown to
the voter-administration back in the USA.

Now comes the point where sede can not even be used for
national elections, because you can prove what you vote.
However, that doesn't mean it isn't a voting system in its
own right. To be able to prove what you vote is in one
sense a weakness, but in another sense it is as strength.
You can use it to give your vote-code to someone else, for
example, and verify that they indeed vote the way you would
like. It is a cultural assumption that too many people will
sell their vote for money, causing corruption, an assumption
which may be true. However that does not make that assumption
true in every case where people might want to vote; both for
Government representatives or for entirely different purposes
and organizations.

Thus, the soldiers at this point may decide to vote, they
type in their login and they take off the server an encrypted
ballot. Say the encryption is strong enough to withstand most
attacks for up to 3 weeks of hard cracking (?). Since the
vote closes after 2 weeks of the ballots - who where encrypted
off line and only moved encrypted online - that does not attack
the vote result by attackers who take over connections; but
the system is even impervious for if they do succeed ... as
the voter can later verify online their vote-code has been
the chosen vote and is accurately tallied as such.

So, the soldiers takes the encrypted ballot, puts it on an
information carrier (say USB stick), then moves that into
an offline computer and then decrypts the ballot, fills
out the ballot, and encrpyts it again. He then puts the
filled out ballot on the USB stick, and sends it over the
established but anonymous connection to the USA vote 
administration. At this point the anonymity can be attacked
by for example an electronic surveilance system and monitoring
ballot sizes and so on. But that has to be done at the point
where the ballots come off the Internet on the far end; thus
this requires a relatively large surveilance organization and
effort. Note that with such an effort no person could sneeze
without a report being filed on it; and neither vote in
anonymity in a paper polling booth either. The extend of such
a surveilance makes it less likely it actually occurs 
(significantly). It would likely come out that there where
attempts to break the vote.

The vote administration then takes the received encrypted
ballots offline, decrypts them, computes the results (runnig
sede processall); and publishes all the votes along with
their vote-code, and then tallies of the votes.

Because soldiers could have used the time before the result
has been posted to show others their vote-code, if they had
done so then they could prove what they had voted. If they
receive a signed ballot with their vote-code, they could also
prove their vote-code after all vote-codes had been published
(and hence become public knowledge making it harder to prove
one owned one particular of them.) The comment feature on the
vote makes it also easy to prove one owned one certain vote
code. This is apparently taken as a problem by some people
who do not see that such a system still works in its own ways,
where such proof is not a problem and/or can be an asset.

One would simply have to know that this is how it works, and
whether therefore this tool applies to a certain requirenment.
It does not fit the requirenment for national balloting which
at the moment is geared toward a people who would happily
sell away their vote for a few dollars (apparently), causing
great corruption in the nation. But it could easily fit the
requirenments of for example a Union full of active members,
who want to vote on the wage demands for the next year. They
will not sell their vote, and most of them at best show their
code to a few close friends and many wouldn't even bother with
that either.

Then the result would end up published, and all the soldiers
in Iraq could see whether the vote-code they got is actually
tallied; and they have further security by watching their
comments and screams and hugs they no doubt would like to
pust as comments (at their own risk), making it certain in
their mind (and actually certain) that what they are seeing
is their and only their vote (because a code could have been
given to others, too, and a yes/no vote for example is hardly
a unique identifier.)

Then, those soldiers who decided to sell their vote can prove
to those they sold it to, that the vote-code had voted that way.
I would like to point out that this is a rather theoretical
issue, that it is also primarily a social ill of the very poor,
and that ultimately people should own the backbone never to sell
their soul like that. On the other hand, realizing that politics
is corrupt all ways, then maybe by selling they may actually
get more out of it - although i personally don't think that would
often be the case. It is entirely possible that some day we have
a people with which the power to prove your vote, but only if you
decided to give that information, is not a problem but a benefit.

Meanwhile in the real world away from the extremes of theoretical
chances ... people using sede in organizations will rarely have
any trouble with vote selling; and even often will be able to
conduct voting without any form of security whatsoever, sending
ballots over the Internet in plain text (since the voters can
always later verify). Who will want to hack & crack all the
myriad of tiny little votes that may go on ? Who has the time
or interest to change a vote of a 30 person corporation on the
color of their outfit ? Even if they succeed, the result would
show the manipulation. The corporation can react by increasing
their security for next time, and re-doing the previous vote(s).

For larger votes that would be under attack, the primary assault
would perhaps end up being a denail of services attack; since
they can't crack the ballots in time, and can't ultimately
control the presented end-result. If an attacker is able to
control how the result is presented to everyone in Bagdad, showing
a specific result to Bagdad that the soldiers there would recognize
as 'ok, that is our votes tallied ok,' but then the totals have
to match up too. You can do that, but if you want to manipulate
votes then you would have to show a different result to the
soldiers in say Afghanistan; so that the tallies would always
be right. In the Afghan result you would change the Bagdad votes,
and vice versa, so that the tallies are right. But such major
manipulations are relatively easy to find out by even one person
(by comparing the results shown with other shows of it.) Such
an attack is so dangerous that it would probably rarely be
attempted. Note that an election result including everything
is basically on the record forever.

Then of course there is the 'added votes' danger; but that is
a danger which is reduced by the likelyhood of that amount of
voters actually existing. For example if there are 80.000
soldiers in Baghad, and 55% vote, then you have 45% room to
pretend votes; assuming those non-voters will not check that
their vote-code did indeed not vote. Because if they do check
their abstention as a real abstention, then that attack is
also busted. Secondly, how likely is it then for example that
80% vote, rather then 55%. A few active people who do a number
of spot independent checks to verify abstentions are real
abstentions, that would probably go a long way in proving the
result is accurate.

So, that is the system proposed by this.

But you can even get around the entire problem of being able
to prove your vote code from the eventual publication: simply
never publish it. If the vote-administration keeps the vote
codes offline and only publishes the total tally, then it is
more like a regular vote. However the voters loose the ability
to verify that their vote was tallied correctly. Hence you pay
heavy for more vote anonimity. Because the records could always
later be released, you never know quite certainly that you can
not prove your vote, ever.

One might ask what the benefit is then to let Iraqi soldiers
vote in such a combursome way. Indeed a very good question, it
is most likely a lot cheapor to send over simple paper ballots.
With all the encryption/decryption and pushing of communication
channels needed, the whole affair would probably be a bit of a
hassle, certainly if it isn't streamlined in software/hardware
etc yet. On the other hand, once the communication channel is
created, in theory a vote could be done in minutes, back &
forth to the USA.

I note that in Holland our Union already conducts votes in this
way, using a vote-code which is never released. So that is already
a real use for a sede system, but as far as I know they are using
an unknown system for this, perhaps a few costum scripts.

best regards,
jos boersema
http://www.law4.org ( ./sede )

PS  I am having an entire revolution & law system on my site, for
    which Internet anonimity is vital to protect people who want
    to view it as much as possible from near term or immediate
    state tyrannies. The more anonymous the Internet, the better
    for sede and my attempts at this.

    Secondly, I have decided to boycot biometric passports. The
    Dutch government is now demanding you give our finger prints
    if you apply for a new passport ! I bought one at the last
    moment, and will not get a new one if it requires fingerprints.

    Hence, I have many reasons to be against biometric databases
    and the encroachment of a 'big brother' police state system;
    in fact against that threat is my entire website dedicated.

PPS Talking of which, I hope you won't only considder sede, but
    also what I have proposed there (www.law4.org), particularly
    the national Constitution.

-- 
_ _ /_\ _ _ http://www.Law4.org     Free markets and democracy,
\ /v`V^v\ /                                  but now: properly.
/_\_#_#_/_\ 
    \ /     Day 168 of the revolution.