[Foundation-l] Election query

[Tim Starling]

Alison Wheeler wrote:
> I didn't want to ask this actually while voting was open in case anyone
> got worried, but not that voting has closed I'd like to ask something.
> 
> How are our votes actually counted and, more importantly, how can we each
> be certain that the votes we made are actually the ones which are being
> counted?

The voting system allows for spot-checks as follows:

* Download [[Special:Boardvote/dump]], and check that your record is there
* Check that your encrypted record has been signed with the appropriate 
secret key (some votes in the first few hours of voting were signed with 
the expired 2005 key, but most were signed with the 2006 key)
* Contact an election administrator, confirm your identity. Tell them 
your encrypted record and who you voted for. Ask them to decrypt your 
election record to ensure that the two match.

Spot checks like this provide some assurance against wide-scale 
falsification of the records. However, the voting system is not 
perfectly secure. For example, with root access to the servers, you 
could add false votes for nonexistent people to the dump. This is 
theoretically detectable, but it would be possible for such things to go 
unnoticed. Small-scale fraud (small enough to escape random checks) is 
also possible by compromising the client computer. And since we don't 
yet use SSL, there is some vulnerability to compromise of the 
communications channel.

I hope I'm not giving people a false sense of security by implementing 
all this encryption stuff. The goal is only to make detection of attacks 
easier, or at least theoretically possible. The absolute security of the 
system still depends on the security of the constitutent parts, namely: 
the election administrators, the servers, the clients and the network. 
There is plenty of room for improvement in each department.

-- Tim Starling