A solution for decentralized, verified and anonymous online voting

The technical context - a general solution for decentralized official user authentication and petitions

The trust-forum project starts with a decentralized user authentication system. It is based on a decentralized network of thousands of independent servers, each server hosting hundreds or thousands of accounts, where each user was free to choose the host where he registered his account, and to move his account to another host if he is not satisfied with it.
No matter if the method to first log in a user to one site is kept or changed, the point is that, once logged in to his main account (where he chose to register), a user will then be automatically (in 1 click) authenticated to any other site he needs. So I envision a multiplicity of independent sites which can host accounts of users, from which they can still connect to other services and users hosted elsewhere. This way can provide a global structure of Internet, helping freedom on a worldwide scale, and successfully handle a diversity of problems that do not require to discern nationality, nor to count the number of people to set a rule of "1 person = 1 voice" (as I see many uses, even political ones, that are not a matter of vote and thus do not require such verification).
Now, this latter problem can also be handled as follows: instead of having one unique login platform for the whole country, every citizen can officially declare which is his online identity under which he will do his "official" operations. This list being public, any site that requires the official authentication of a citizen, when getting an authentication request under some online identity, can obviously check by the list that this identity is the one of a specific citizen (and also, that any 2 such identities are those of 2 different citizens). This way any user can keep his authentication made by his general user account at his host in which he can also do anonymous (but still trusted) operations, with no need to request any central state authentication system each time he wants to make an official operation.

Voting procedure to ensure verifiability with privacy

Here is an idea I had on how to combine verifiability and privacy (anonymity).
I do not know if it has already been considered (I did not read the litterature on the subject)
It will combine most qualities generally expected from voting systems (except one but that is probably impossible to satisfy for online voting : preventing the risk of buying a given person's vote, or forcing him to make a given vote, by an explict threat or request to him, to which he would actively comply by providing a proof of his compliance).

Here is the method, to implement in the new framework of the trust-forum project, but it does not even need remote authentication of the user to the central server of the vote; local authentication at his host suffices.
The last problem is to prove that every host correctly published the true number of voters, and did not commit any ballot stuffing by pretending to have had more voters (i.e. fewer abstentions) than the true number. Namely, abstentionists registered at each host need to be able to count their number, and check that they are no more numerous than the host says - anonymously, even if they don't know each other, don't want to tell each other who they are, and even if some of them died in between. Yes. We need this, and it can be done. Here is how:

How to avoid buying votes

Once voted, instead of getting only the certificate for his own ballot, the user can receive several certificates for different ballots filled by other people, that express different choices. (Say, it cannot immediately provide a certificate to the first voter, but waits to have hopefully got several votes expressing different choices for starting providing certificates). Thus, the ability for a user to provide to someone else a certificate for one ballot, does not prove to the other person that this is the certificate for his own vote; only he knows which of the certificates gives the proof of his own vote, as it is the one that carries his ballot number which he previously copied on a piece of paper.
A possible loophole in this scenario is if the vote buyer says "Make vote X with verification number Y" so that the user has little chance to have got such a certificate if he did not cast this vote himself.

To try to prevent this, we can consider having a smaller range of allowed verification numbers, say from 1 to 4, and a user can make a request to his site: "Can you give me any certificate of a vote cast for choice X and with verification number Y ?" which is not always possible, but as it may sometimes happen, the vote buyer loses certainty of having really made the person cast the vote he wants ; he may notice to have been fooled if several vote sellers send him the same certificate but he cannot know who fooled him.

We can imagine more complicated methods how can vote buyers try to buy votes, and methods to prevent them ; but the more complicated it is to buy votes, the less likely it is to be operated at any significant scale. Anyway, there can always be a heavy method of selling your vote, that is by filming yourself following whatever voting procedure there is, and sending this film to the buyer; this might still not be an absolute proof as the film might have been edited...

More options

The above scenario might be considered as not offering sufficient anonymity protection. On the one hand, it assumes that every user having freely chosen the host of his account, trusts this host for protecting the confidentiality of his vote, and that this trust will not be betrayed. On the other hand, there may be hosts with too few user accounts, or politically oriented hosts whose users often have the same opinions, making the very fact for a person to have his account at a specific host, already revealing of his choice of vote.
These possible problems have natural solutions in the form of a diversity of options how each user will participate in the vote. This diversity of possible participation methods to the votes, is just the same as the generally available diversity of participation methods to any other social web application in the framework of the Trust-forum network, thus making this case of the online voting problem, a typical example of some aspects of how the Trust-forum network generally aims to work.
Here are these options:

How can a user change host during the time of vote

May it be because the host is down, or the user lost access to his account, or the user could not get a valid certificate for his vote, or he already sold his vote and wants to cancel the effect, or any other justified or unjustified reason. Unless there is a good reason for most users of a given host to agree using a common new host in replacement of the defected one, they will have to make their own choices of where to move among existing hosts. So for this case:

(Not sure if it there is any advantage or inconvenient in having a "compact" global list of ballots, i.e of all numbers no greater than the total number of voters, rather than a "spaced" one with a hidden list of random unattributed ballots available for those who would move in between, and that would only be publicly known as unattributed during the final public release of voting results.)

And what about people not familiar with computers, that have no internet at home and even no online identity ?

Simple : concrete voting offices can still be used in guise of hosts among others (some hosts would be web hosts as described above, other "hosts" would be voting offices). The voting office can contain a box of ballots, inside which each voter puts his hand to take one envelop at random containing a paper ballot, discover on the paper what is his ballot number, that he can take with him after voting...

What content of the vote can bring meaningful result

For votes of the type "Choosing the best candidate for everybody from a list" (when there are more than 2 candidates), there is the usual problem how to ensure that people really express their intention and avoid the bias of "useful strategic voting" depending on possibly false rumors of who may have better chances of success. For this I think the right solution is the Condorcet method.

Back to main page : infoliberalism