Mailing List Archive

Technical aspects can be answered only by Tim Starling, I guess.

As for counting in human factors, once encrypted data are open by
Election Official(s) and sumed up. I am engaging to examine the
authentification of vote and not participating in counting precisely,
and haven't asked Tim the secret key (one cannot release the
information she doesn't know, so I don't want to know the data which I
absolutely need to know), that is all what I can tell you.

Hoping it helps to solve your worrying,

Sincerely,
Kizu Naoko,
Wikimedia Election Committee 2006

On 9/24/06, Alison Wheeler <wikimedia@alisonwheeler.com> wrote:
> I didn't want to ask this actually while voting was open in case anyone
> got worried, but not that voting has closed I'd like to ask something.
>
> How are our votes actually counted and, more importantly, how can we each
> be certain that the votes we made are actually the ones which are being
> counted?
>
> I ask this because of the issues raised in the USA about election fraud
> (http://en.wikipedia.org/wiki/Diebold#Security_Concerns etc.) and wondered
> whether the same could happen with us, After all, the voting isn't being
> carried out on independent servers it is on Wikimedia servers and,
> presumably, a lot of people have access to those who could do things
> without leaving a trace.
>
> I am *not* meaning imply that anything has been done, but I would very
> much like to know what security voters like myself have that our votes
> have been correctly recorded and tallied.
>
> Alison Wheeler
> _______________________________________________
> foundation-l mailing list
> foundation-l@wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/foundation-l
>
_______________________________________________
foundation-l mailing list
foundation-l@wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/foundation-l

On 9/23/06, Alison Wheeler <wikimedia@alisonwheeler.com> wrote:
> I didn't want to ask this actually while voting was open in case anyone
> got worried, but not that voting has closed I'd like to ask something.
>
> How are our votes actually counted and, more importantly, how can we each
> be certain that the votes we made are actually the ones which are being
> counted?
>
During the first election I asked this and what I got from the
discussion was that this can't be done. The process used for
encryption generates random padding so that re-encrypting the exact
same message using the same public key will produce a different result
every time. My "receipt" did not indicate any information about this
random string/padding.

Things might have changed, or maybe I was informed incorrectly about
this the first time. In any case the message certainly seems to
contain more information than just your vote, as I'm pretty much
certain that someone else voted exactly the same way as me and yet my
encrypted vote is not duplicated in the list of votes. (Doing a
google search appears to confirm that we all had the same encryption
and signing keys of 0x4E86F78C and 0xA12C1339, respectively.)

> I ask this because of the issues raised in the USA about election fraud
> (http://en.wikipedia.org/wiki/Diebold#Security_Concerns etc.) and wondered
> whether the same could happen with us, After all, the voting isn't being
> carried out on independent servers it is on Wikimedia servers and,
> presumably, a lot of people have access to those who could do things
> without leaving a trace.
>
If you copied your "resulting encrypted version" when you voted, then
you can look at [[Special:Boardvote/dump]] to ensure that it hasn't
been tampered with *since voting*. Of course this doesn't ensure that
your vote wasn't tampered with *at the time of voting*. If what I've
said above is correct, the only ways to do that would be to either
decrypt your vote with the private key or to obtain the information
about the random padding from someone who has access to the private
key. That private key is almost surely not going to be released to
the public, though it could theoretically be used to spot check
certain votes. As for releasing the random padding information to
anyone who wants to check their own vote, that's probably possible,
assuming there is no information in the raw (padded) unencrypted
message which is sensitive.

Anthony
_______________________________________________
foundation-l mailing list
foundation-l@wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/foundation-l

Alison Wheeler wrote:
> I didn't want to ask this actually while voting was open in case anyone
> got worried, but not that voting has closed I'd like to ask something.
>
> How are our votes actually counted and, more importantly, how can we each
> be certain that the votes we made are actually the ones which are being
> counted?

The voting system allows for spot-checks as follows:

* Download [[Special:Boardvote/dump]], and check that your record is there
* Check that your encrypted record has been signed with the appropriate
secret key (some votes in the first few hours of voting were signed with
the expired 2005 key, but most were signed with the 2006 key)
* Contact an election administrator, confirm your identity. Tell them
your encrypted record and who you voted for. Ask them to decrypt your
election record to ensure that the two match.

Spot checks like this provide some assurance against wide-scale
falsification of the records. However, the voting system is not
perfectly secure. For example, with root access to the servers, you
could add false votes for nonexistent people to the dump. This is
theoretically detectable, but it would be possible for such things to go
unnoticed. Small-scale fraud (small enough to escape random checks) is
also possible by compromising the client computer. And since we don't
yet use SSL, there is some vulnerability to compromise of the
communications channel.

I hope I'm not giving people a false sense of security by implementing
all this encryption stuff. The goal is only to make detection of attacks
easier, or at least theoretically possible. The absolute security of the
system still depends on the security of the constitutent parts, namely:
the election administrators, the servers, the clients and the network.
There is plenty of room for improvement in each department.

-- Tim Starling

_______________________________________________
foundation-l mailing list
foundation-l@wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/foundation-l

Anthony wrote:
> On 9/23/06, Alison Wheeler <wikimedia@alisonwheeler.com> wrote:
>> I didn't want to ask this actually while voting was open in case anyone
>> got worried, but not that voting has closed I'd like to ask something.
>>
>> How are our votes actually counted and, more importantly, how can we each
>> be certain that the votes we made are actually the ones which are being
>> counted?
>>
> During the first election I asked this and what I got from the
> discussion was that this can't be done. The process used for
> encryption generates random padding so that re-encrypting the exact
> same message using the same public key will produce a different result
> every time. My "receipt" did not indicate any information about this
> random string/padding.
>

It's part of the OpenPGP protocol.

--
Alphax - http://en.wikipedia.org/wiki/User:Alphax
Contributor to Wikipedia, the Free Encyclopedia
"We make the internet not suck" - Jimbo Wales
Public key: http://en.wikipedia.org/wiki/User:Alphax/OpenPGP