Are there details about the processes in place to ensure the May First online voting system at vote.mayfirst.org accounts for the various security issues surrounding Internet voting? For example, what processes are in place to:
- prevent people from voting more than once (say using a different IP address)
- prevent system administrators from changing votes
- ensure the anonymity of voters
- enable voters to track their vote and make sure it’s correctly counted
- monitor to make sure outside attackers aren’t manipulating vote counts in some way
- ensure members are not being coerced by a physical attacker
I haven’t used the system yet, so I apologize if these details are stated somewhere obvious.
These are all valid questions jasond. Some of this will become clearer when you use the system for the first time this Dec but I’ll do my best to answer here. But first- to give you some context, while we definitely want our elections to be secure and fair our biggest challenge at this point in our democratic development is increasing member participation. In our last election for example, we had less board member candidates than available seats. So in this context with our voting system we are trying to strike a balance between ease of use , sustainability, and security.
In the current system each member will receive a unique token as a link they will use to vote. Reusing the token from the same or other up addresses will allow you to update your selections but will only be counted once.
We would never manipulate results, but system administrators do have access to the database under the current system.
Votes are not anonymous however nowhere do we reveal or review internally how each member has voted.
The current system does not provide a mechanism for members to verify their vote was counted themselves however if anyone raised the issue we could technically confirm for them via the database.
We do some basic monitoring of http requests to identify possible intrusion attempts.
We do not have a mechanism to ensure that member votes are not coerced by a physical attacker.
So yes there is definitely room for improvement but again, in our context some of the concerns and scenarios you raise are less relevant than others. I do think we should strive to model best practices with our online voting system and it is something we can continously iterate over in the future but the current system has worked without issue so far.
If you have any examples of existing open source systems that solve the problems you list above it might be nice to list them here.
I think Jaime covers it all.
Personally, I think the biggest weakness is that it’s administered by staff. At some point, it would be a good idea to move to a third party site. I think our biggest technical hurdle is our system of giving individuals one vote and organizations two votes - I’m not sure if any generic voting sites could support that out of the box.
Does linking our member account with the voting (and then, reducing that info sharing, counting double votes, etc.) would simplify this issue?
I’m not sure I understand your question @mercovich ? I do think we could massage the data prior to giving it to a third party voting system and figure out a way to make the 1 vote for individuals vs 2 votes for organizations work. Nothing is ever impossible - it’s just a question of how much work and is it worth it? Or in this case, I think we will have to do this eventually, the question is when does it become the priority?
Not a priority at all, just a question. If instead of sending something by mail (voting token or whatever) we can give it when someone logs in.
But just a loose question for the future, not now.
Oh - I see what you mean. Yes, we could provide a link to the voting site (with your token embedded in it) when you log in to the control panel - that might help with increasing our voting numbers for anyone who doesn’t get the email. But that doesn’t really solve any of Jason’s security or anonymity concerns.
Our voting system currently does an excellent job preventing people from voting more than once - there’s a finite number of tokens generated and there’s only one vote per token, so you really can’t vote twice. The real problem is anonymity and having staff administer the system. At some point we’ll need to pay a third party to adminster our elections.
At the moment, though, it’s hard enough to get people to be interested in voting, much less interested enough to care about how we administer it!