28
edits
Tim Starling (talk | contribs) (my evil plan to get Erik elected... HA! :-) ) |
Tim Starling (talk | contribs) (possible improvement) |
||
Line 29: | Line 29: | ||
Any paranoid member of the general community can check for disappearing vote records by regularly downloading the entire dump and comparing new dumps and old dumps side by side. Voting records will indeed disappear from the dump due to the election administrator striking out invalid votes, or when someone votes twice. But if such removals are challenged, they can be checked for legitimacy by a third party examining the log. | Any paranoid member of the general community can check for disappearing vote records by regularly downloading the entire dump and comparing new dumps and old dumps side by side. Voting records will indeed disappear from the dump due to the election administrator striking out invalid votes, or when someone votes twice. But if such removals are challenged, they can be checked for legitimacy by a third party examining the log. | ||
An improvement to this system would be to sign encrypted election records with a secret key stored on the server. With the current system, if someone's vote disappears, the administration could conceivably claim that they are making up the story. If they have a signed record to prove that they did actually vote, it means that either the votes were tampered with or that the claimant hacked into the server and obtained the private key. Either case should be sufficient cause to declare the election invalid. | |||
Secrecy, that is preventing anyone from discovering who voted for who, is also very important. My original idea was to preserve secrecy except from the private key holder. I later realised that simply leaving the username off the encrypted records would discourage casual snooping by the private key holder. It also makes it harder for a developer to breach secrecy by reading the temporary files input to GPG. I made no effort to prevent a determined private key holder from working out who voted for who, although this may be possible in principle. | Secrecy, that is preventing anyone from discovering who voted for who, is also very important. My original idea was to preserve secrecy except from the private key holder. I later realised that simply leaving the username off the encrypted records would discourage casual snooping by the private key holder. It also makes it harder for a developer to breach secrecy by reading the temporary files input to GPG. I made no effort to prevent a determined private key holder from working out who voted for who, although this may be possible in principle. |
edits