Editing Board vote code

The '''board vote code''' in [[MediaWiki]] uses [[public key crypto]] to enable an [[audit trail]].   No other [[wiki code]] has this feature yet.  An exchange between the [[Lowest Troll]] of [[Consumerium]] and the [[developer vigilantiism|chief developer vigilante]] of [[Wikipedia]] included the following:

:[[User:Juxo]] is "very critical of submitting everything to computers because that gives technocrats too much (secret) power, but in this case there is no prob since the private key could be on a disk in a safe 
::[[Tim Starling]] responds "yes, I wanted to make it so that it was hard for a developer to rig since a developer was one of the candidates  and he came very close to winning, too"

This is probably a reference to [[Erik Moeller]] who, along with Starling, does most of the [[developer vigilantiism]] and distributing [[vandalbot]] code to those willing to do [[denial of service attack]] against other [[GFDL corpus access provider]]s.  By making it "very hard for a developer to rig" it becomes possible only for these two individuals, Moeller and Starling, to rig the votes.  ''See [[Disinfopedia]] entries on [http://www.disinfopedia.org/wiki.phtml?title=Diebold Diebold Election Systems Corporation] for more on the various issues with vote-rigging and why electronic voting is usually bad.''

According to [[Tim Starling]], "it's also made so that's it's fairly difficult for a developer to work out who is voting for whom;  they'd have to constantly run a monitoring program on the server, which is detectable;  instead of just get in, grab the results and cover their tracks".  Use of terms like ''fairly'' difficult and ''detectable'' and ''cover their tracks'' implies of course that Starling himself can actually do these things, and ensure they are covered up.  In the future this might be of benefit to his friend and ally [[Erik Moeller]] who is a strong opponent of [[English Wikipedia User Anthere]], who won the so-called "election" this time - probably just to make everything look honest?

Individual records in plain text have three lines: two for the two different positions, and one for "salt" (though the [[GPG algorithm]] adds its own salt).  "The plain text records don't contain the usernames, it's not trivial for even the private key holder to determine who voted for who assuming the private key holder doesn't have access to the full DB," which of course some do.  Apparently the SQL DB hides the order in which votes were cast, which is why to track votes one would need to monitor every transaction as it occurred.

The web interface gives two different data displays :
*the "list", where names and timestamps are displayed  and where an election administrator may use this list to strike out invalid votes, e.g. of [[trolls]] who oppose the [[sysop power structure]]
*the "dump", which lists the encrypted records in chronological order 

Starling admits that "there's a few ways an election administrator could match up dump entries with list entries" such as to match records in "dump" with timestamps", and muses about shuffling them so that only the most expert of the [[developer vigilantiism|vote riggers]] could do this trace very reliably to identify political enemies for future harassment by the [[echo chamber]]s.

"An election administrator with the private key could find out which entry belongs to which person by striking it out temporarily, and seeing which dump entry disappears" according to Starling, "so the way to get around that vulnerability is to make the private key holder a non-administrator" but given the power of the [[sysop power structure]] that person can be made to comply with more or less any demand to assert or impose the [[Cabal point of view]].

Like all [[e-voting]] mechanisms, this one is certainly open to rigging and spying at least by its own developers.  There is probably no way around that.

----

LOL!!! That's the funniest thing I've read in ages. You think I'm a friend and ally of Erik, and I wanted to help him win the election against Anthere??? I've made no secret of my dislike for Erik. He's arrogant and overbearing. He's done a few things to piss me off in the past and I'm still bearing a grudge. I voted for everyone ''except'' him on the contributing ballot. By contrast I have a great deal of respect for Anthere.

:That's your story.  It could be a [[cover story]].  He is certainly your ally in [[developer vigilantiism]] (huge [[IP range block]]s affecting whole cities simply to prevent challenge to the [[Sysop Vandal point of view]]) though he is prone to [[libel]] and so far you are not.  He is certainly arrogant, overbearing, and self-certain.  He's a vile little creep!  But he wants the same type of top-down control as [[Daniel Mayer]] does, with these people of no particular consequence making critical decisions about who participates, trying to suppress the [[Wikipedia Red Faction]], and just making ordinary stupid decisions with incoherent unlogic like [[Auntie Angela]] (who ''was'' "elected"). --[[142.177.X.X]]

I had two personal reasons for making the voting system hard for developers to rig: firstly out of distrust for Erik, and secondly because I was entertaining visions of being a candidate myself. It takes a lot of care to design a voting system such that nobody could reasonably claim that even its designer could rig it. 

:Yes it does.  But surely you comprehend that any voting system must be analyzed from a strictly hostile, suspicious point of view with all possible [[Wikimedia corruption|corruption]]s considered.  Any slack or benefit of the doubt whatoever and it will be exploited.  Really the only test of an evoting system is for one group to fully control its deployment and then totally lose:  this happened recently in India to the BJP whose pet voting machine company installed [[e-voting]] all over India, and then Congress Party got elected!  That is the only proof of honesty:  the clique being entirely locked out.  And sorry, the final results prove that the clique was far from locked out.  The only person who is actually not a vile [[sysop vandal|vandal]] or [[vile mailing list|spreader of lies]], barely got in, and she's literally the only one on the top six who did.  Next time it's the clique all the way. --[[142.177.X.X]]

This is made possible by displaying the encrypted election records. When someone votes, their election record both in plain text and in encrypted form is displayed to them. They may then check to make sure it appears on the dump. If it spontaenously disappears, then they can raise the alarm bells. A developer could rig it so that a different dump is displayed to the general public than to the private key holder, but the private key holder could check for this by requesting copies of the dump downloaded by other people. 

:Only a tiny number of people know how to do this kind of [[audit]].  As with [[vandalbot]] code, there are extreme technical barriers to understanding it - meaning insiders always have an edge.  [[E-voting]] is inherently untrustworthy. --[[142.177.X.X]]

::Actually this procedure was quite clearly explained to me by the board vote code. It stated that you may download a copy of this plain text and that encrypted to later on check that the encrypted version is still included in the "dump". As simple as that. As far as I understand computer science I must say that meticulous detail has been has been put into this fine piece of code by Tim Staring --[[User:Juxo|Juxo]] 11:50, 29 Jun 2004 (EEST)

Any paranoid member of the general community can check for disappearing vote records by regularly downloading the entire dump and comparing new dumps and old dumps side by side. Voting records will indeed disappear from the dump due to the election administrator striking out invalid votes, or when someone votes twice. But if such removals are challenged, they can be checked for legitimacy by a third party examining the log.

:So write up an audit protocol that an ordinary IQ 100 no-programming-skill user can carry out, to determine by spot audits if everything always matches. --[[142.177.X.X]]

::It already exits --[[User:Juxo|Juxo]] 11:50, 29 Jun 2004 (EEST)

An improvement to this system would be to sign encrypted election records with a secret key stored on the server. With the current system, if someone's vote disappears, the administration could conceivably claim that they are making up the story. If they have a signed record to prove that they did actually vote, it means that either the votes were tampered with or that the claimant hacked into the server and obtained the private key. Either case should be sufficient cause to declare the election invalid. 

Secrecy, that is preventing anyone from discovering who voted for who, is also very important. My original idea was to preserve secrecy except from the private key holder. I later realised that simply leaving the username off the encrypted records would discourage casual snooping by the private key holder. It also makes it harder for a developer to breach secrecy by reading the temporary files input to GPG. I made no effort to prevent a determined private key holder from working out who voted for who, although this may be possible in principle.

:[[w:political privacy]] is another matter entirely - some think it should not exist.  Only real communities making decisions of real importance probably need truly and totally secret ballots.  This would be lower priority: --[[142.177.X.X]]

A developer may breach secrecy in several ways, such as installing a packet sniffer, or modifying the voting code such that unencrypted votes are logged. However these methods are detectable, and difficult enough so that casual snooping is impossible. Dectability adds an element of risk for a developer wanting to breach secrecy. Note that for breaches of secrecy to be detected, there must be a vigilant non-corrupt person with root access to the servers.

:This "vigilant non-corrupt person with root access to the servers" probably does not exist. [[User:Brion]] maybe.  He has not participated in [[echo chamber]]s or [[developer vigilantiism]].  But there will not always be such a trusted person in that role. --[[142.177.X.X]]

Wikipedia has a diverse group of developers with root access. Others wishing to use a similar voting system may not be so lucky. In such cases, it may be better to use an external company to provide the web hosting, and to allow only a trusted neutral person access to that machine, or to allow a diverse group of people access, for oversight. -- [[User:Tim Starling|Tim Starling]] 10:44, 27 Jun 2004 (EEST)

:Well you are thinking correctly but narrowly about the basic problems of the voting protocol.  You might have fun over at [http://www.civicactions.org civicactions.org] detailing some of this in the context of the US elections. --[[142.177.X.X]]

:The real problem is of course "who gets to vote" - no matter what their contributions and no matter how correct or eloquent they are, [[trolls]] do not by definition give [[Wikimedia]] money to oppress them, so, they do not vote in this corporate system Bomis has set up to continue [[Wikimedia corruption]] of the [[GFDL corpus]], and to lie to [[GFDL corpus access provider]]s about what is a [[GFDL violation]].  Since the whole purpose of [[Wikimedia]] is lies, it does not seem that it would necessarily be morally wrong for liars and vote-riggers to run it. - [[obvious troll]]s --[[142.177.X.X]]