No Peeking/Voting Security

Proposals for legislation and discussions of these

Moderator: SC Moderators

Post Reply
Beathan
Forum Wizard
Forum Wizard
Posts: 1364
Joined: Sun Oct 29, 2006 3:42 pm

No Peeking/Voting Security

Post by Beathan »

I support the goals of these bill and don't mind the text or approach of either bill (provided my suggested changes are incorporated). However, both bills are on the same subject matter, but take somewhat different and incompatible approaches. Thus, I think it is unwise to pass both bills. However, I don't really want to start the current session of the RA with a partisan squabble and power play between NuCARE and the CSDF.

What I would prefer to do is to try to merge the proposals into a single bill with multiparty support. I think that, because these bills are on a subject that will not matter until the next election -- we have plenty of time to try to craft a compromise using the text and goals of these bills. I would suggest a working session on these bills rather than a vote tomorrow.

Beathan

Let's keep things simple enough to be fair, substantive enough to be effective, and insightful enough to be good.
Jon Seattle
I need a hobby
I need a hobby
Posts: 648
Joined: Mon May 29, 2006 6:18 am

Re: No Peeking/Voting Security

Post by Jon Seattle »

Beathan,

I think you have gotten too used to my being a representative of a faction. I would very much welcome CSDF support, but this is my proposal as a private citizen. I think CSDF is generally in favor, but I have no definite idea how they will vote.

The SC should have firmer rules on the issues touched on in this bill. My guess is by consulting with experts and stakeholders, they could well develop very good ones. I have a slight preference, because of the issue of the balance of powers, to have the SC develop these rules as part of their procedures rather than through an amendment.

My main concern is that if the RA does pass a bill on these issues, such as the NuCARE bill, we need to be careful that it does not make future elections very difficult, or weaken our ability to monitor the voting process. I wrote up what I thought would be a reasonable basic set of controls and procedures. I think your proposal on the release of voting data is an invaluable contribution.

If the RA does have to specify this to the SC, it may as well specify something that is technically feasible and provides reasonable security. I am not sure, and would be very interested in hearing, what remains of the NuCARE bill if you allow the SC and its deputies to examine the data and maintain multiple audit trails. If it applies mainly to non-SC non-deputies, it does this weird thing of preventing individuals from reading data that may be made public.

I am fine with putting this off for a future working session, if both bills are handled in the same way.

Best,

Jonathan

Beathan
Forum Wizard
Forum Wizard
Posts: 1364
Joined: Sun Oct 29, 2006 3:42 pm

Re: No Peeking/Voting Security

Post by Beathan »

Here is my proposed combined bill -- including a short Constitutional Amendment and a longer related statute (to address concerns about expanding the size of the Constitution unnecessarily). I also propose certain amendments to reflect points of controversy between the two proposals and the proposals and my proposed amendment. I will send this text to Pat by notecard as well. If I mistakenly included controversial points in the main body, please tell me by posting here and I will try to recraft the section by taking out the controversial portion and reproposing it as a potential amendment. My proposal of the amendment language should not be taken as my support for those positions. I particularly object to amendment 3, which is taken from the "No Peeking" bill.

Voting Amendment

In order to clarify the operations and rules for operating software used to hold RA elections, the following will be added to article 2 of the constitution:

The Scientific Council shall deputize one or more citizens to provide software, hosting services, and operations support for the election of the RA. These deputies shall institute a voting process that complies with voting rules and procedures as passed by the RA. The RA shall have the power to pass such voting rules and procedures by statute.

Voting Security Bill:

1. During the period when CDS polls are open, no individual shall be permitted to examine or publish any files or data streams containing data generated by CDS voting machines except to the extent needed to run the technical aspects of the election. To this end, the SC or its deputy or deputies shall neither inquire into election results or comment on election results nor release data, either detailed votes or aggregate figures, to any person, other than a member of Scientific Council or a designated election deputy, until the polls close and results are certified, and then shall examine results or comment on results only to the extent needed to discover and discuss technical problems with the software or other voting system. Further, all such data shall be kept strictly confidential until the polls are closed.

2. Insure that software used in the election implements the rules for eligibility, voting, and counting votes as described in the constitution.

3. Maintain server and application security, providing privileged access only to the SC members or their designates, and then only to the extent allowed in paragraph 1 herein.

4. Build into software, where possible, the ability for citizens to check that their votes are correctly registered, and maintain a complete time-stamped record of every transaction that results in a vote being cast.

5. Provide copies of all software source code to the SC for review, and on request, provide detailed explanations on the operation of that software.

6. (Or 7.) After the voting, but before certification, the voting data, including individual votes with the voter identification information redacted, shall be publicly available to all citizens and shall be posted, as a historical document, on the CDS Wiki. This information should be in a form that can be used by citizens and factions to analyze the history of voting over time and in detail such that citizens and factions can discover (1) voting trends during an election (2) the "natural coalitions" of parties that share support among voters, (3) whether factions primarily enjoy support as a primary party or as a support or secondary party, and (4) whether there were voting improprieties or confusion that should be considered by the SC prior to certification of the result.

None of these restrictions will be taken to restrict any deputy’s civil rights, including the right to equal suffrage, the right to hold and execute the duties of elected public office, or the right to free speech apart from the specific agreement described by this amendment.

Amendments:

Add to end of the second to last sentence in 1: “or to provide unidentified detailed votes as well as aggregate figures on a daily basis to the members of the Scientific Council so they may monitor the availability and accuracy of the voting software.”

Add “6. On request by the SC, provide unencumbered root user access to servers, including software, database, and log files to SC members or their designates.”

Add to end of last sentence in paragraph 1, “and the results are certified by the Scientific Council and announced by the Chancellor.” and replace the phrase in Paragraph 6(7) “After the voting, but before certification,” and replace with “After voting and certification.”

Beathan

Let's keep things simple enough to be fair, substantive enough to be effective, and insightful enough to be good.
Jon Seattle
I need a hobby
I need a hobby
Posts: 648
Joined: Mon May 29, 2006 6:18 am

Re: No Peeking/Voting Security

Post by Jon Seattle »

Thanks Beathan, for getting this started!

Beathan wrote:

1. During the period when CDS polls are open, no individual shall be permitted to examine or publish any files or data streams containing data generated by CDS voting machines except to the extent needed to run the technical aspects of the election. To this end, the SC or its deputy or deputies shall neither inquire into election results or comment on election results nor release data, either detailed votes or aggregate figures, to any person, other than a member of Scientific Council or a designated election deputy, until the polls close and results are certified, and then shall examine results or comment on results only to the extent needed to discover and discuss technical problems with the software or other voting system. Further, all such data shall be kept strictly confidential until the polls are closed.

Perhaps change “and then” to “in this case”?



Would a software developer be allowed to consult with the SC on the constitutionality of the interpretation of the constitution as embodied in the software? At least right now, that section of the constitution is pretty ambiguous (to say the least).

Beathan wrote:

3. Maintain server and application security, providing privileged access only to the SC members or their designates, and then only to the extent allowed in paragraph 1 herein.

On modern computer systems, “privileged access” opens all data to the user. A less-privileged level of access, that was still more privileged than a voter’s, would have to be implemented. I am not at all sure what such a level of access would show if neither aggregates nor raw data could be accessed.



I would mistrust the results of the election where only the system administrator and programmer had access to the data. Among other things there would be no way for others to detect a program error or intentional tampering.


Denying the system administrator and programmer data access is a funny thought, but is not really something that can be done. There is no way to determine if the system administrator or programmer has accessed data.
 It is sometimes necessary for an administrator or programmer to examine data (for example examining web server logs, etc) in order to make sure the system is operating correctly.

Amendments:

Beathan wrote:

Add to end of the second to last sentence in 1: “or to provide unidentified detailed votes as well as aggregate figures on a daily basis to the members of the Scientific Council so they may monitor the availability and accuracy of the voting software.”

Without this check anything could happen between the time the polls open and when the vote is certified and no one would know. Imagine, for example, that someone broke into the system just as the polls closed and changed some votes. No one would be able to detect the tampering when it happened, never mind finding evidence.

Beathan wrote:

Add “6. On request by the SC, provide unencumbered root user access to servers, including software, database, and log files to SC members or their designates.”

Without this amendment there is no way for the SC to check that the system is secure, that the software used was as represented (that new code had not be substituted), and if logs and records had been tampered with. Basically the SC would have to take the word of the people who run the system.

Beathan wrote:

Add to end of last sentence in paragraph 1, “and the results are certified by the Scientific Council and announced by the Chancellor.” and replace the phrase in Paragraph 6(7) “After the voting, but before certification,” and replace with “After voting and certification.”

I agree with you that 3 is an issue. Once votes are certified its much harder to challenge them. I would hate to discover there were serious problems only after votes had been certified.


Cindy Ecksol
Master Word Wielder
Master Word Wielder
Posts: 449
Joined: Thu Jan 10, 2008 8:37 pm

Re: No Peeking/Voting Security

Post by Cindy Ecksol »

Jon Seattle wrote:

Would a software developer be allowed to consult with the SC on the constitutionality of the interpretation of the constitution as embodied in the software? At least right now, that section of the constitution is pretty ambiguous (to say the least).

I would answer this "Yes, but only during the testing phase." Once the system has been tested to the satisfaction of the SC and the programmer and has "gone live" there could be no challenge before the polls were closed. And I agree that the data should be examined for completeness and possible interference between the time the polls close and the time the results are certified, but only by the SC with assistance from whoever they authorize as technical support.

Jon is correct in pointing out that the data will always be accessible to SOMEONE (and should be more than one someone) during the vote, but there should be clear prohibitions against discussing that data with anyone else unless there is clear evidence of a problem NOT related to the rules. In other words, if the system is working as programmed, there could be no discussion of the data, not even the raising of a rules question with the SC until the polls were closed. If, on the other hand, something is NOT working as programmed, the SC could allow discussion, but that discussion should not leave the confines of the SC before the polls are closed. Hopefully if the system is well tested before the polls open there will never be a need for this.

Cindy

Jon Seattle
I need a hobby
I need a hobby
Posts: 648
Joined: Mon May 29, 2006 6:18 am

Re: No Peeking/Voting Security

Post by Jon Seattle »

In Summary:

In our current environment any RA vote is likely to be questioned. If the SC (or someone) is unable to check on the election results at all times, whoever runs the technical side of the election will have no one to turn to confirm her or his final results. (Even a few minutes is potentially enough for the data to be changed.) I was very relieved this time that the SC did take on that role.

I happen to believe the SC is the right group to take on the oversight and auditor role during the election. I feel sorry for any technical person who runs (the technical side of) a future election without their support.

User avatar
Patroklus Murakami
Forum Wizard
Forum Wizard
Posts: 1929
Joined: Fri Jun 02, 2006 5:54 pm

Re: No Peeking/Voting Security

Post by Patroklus Murakami »

I thought we agreed at the RA meeting on Sunday that the authors of the two electoral process reform bills (Jon and ThePrincess) should meet with each other and the SC to agree a compromise? Is this bill being submitted to the RA for a vote on Sunday or to further discussion? I would prefer it if we postponed discussion on all of this until March. By then we should have worked up a sensible bill and will still have time to enact any necessary changes before the next elections in July.

Honi soit qui mal y pense
Beathan
Forum Wizard
Forum Wizard
Posts: 1364
Joined: Sun Oct 29, 2006 3:42 pm

Re: No Peeking/Voting Security

Post by Beathan »

Pat --

I think it was suggested that Jon and ThePrincess meet together -- not agreed. I don't see that the RA can agree to any such thing. As far as I know -- meeting has not occurred -- but there has been good discussion on the forum. The bills have many points of overlap -- as both authors have pointed out in their postings. I would like my proposed merged bill (with Jon's friendly amendments to paragraph 1) considered this Sunday. If the RA wants to continue at that hearing, I would not be upset -- but I think that it should be on the agenda.

Beathan

Let's keep things simple enough to be fair, substantive enough to be effective, and insightful enough to be good.
User avatar
Patroklus Murakami
Forum Wizard
Forum Wizard
Posts: 1929
Joined: Fri Jun 02, 2006 5:54 pm

Re: No Peeking/Voting Security

Post by Patroklus Murakami »

Beathan

I don't have a problem with putting this on the agenda for Sunday's meeting, I just wanted to be clear what your intentions were. The intentions of the RA in response to your suggestion are pretty clear and there was a vote on how to take it forward:

Beathan Vale: As I posted on the forum "I support the goals of these bill and don't mind the text or approach of either bill (provided my suggested changes are incorporated). However, both bills are on the same subject matter, but take somewhat different and incompatible approaches. Thus, I think it is unwise to pass both bills. However, I don't really want to start the current session of the RA with a partisan squabble and power play between NuCARE and the CSDF. What I would prefer to do is to try to merge the proposals into a single bill with multiparty support. I think that, because these bills are on a subject that will not matter until the next election — we have plenty of time to try to craft a compromise using the text and goals of these bills. I would suggest a working session on these bills rather than a vote tomorrow." Thus, I move to continue these bills for one week, during which week the proponents of the bills should meet together and meet with the SC to try to craf!
t a combined bill.

....
Beathan Vale: I move to send both bills to a working session prior to vote
Jon Seattle: I support that.
Patroklus Murakami: let's take beathan's proposal and consider that first
....
Beathan Vale: it's a while until the next election — so we should not feel rushed here
ThePrincess? Parisi: no we shouldnt
Patroklus Murakami: beathan, what do you mean by a 'working session'?
ThePrincess? Parisi: lets keep it on the forum for a while
ThePrincess? Parisi: let it evolve
ThePrincess? Parisi: we have six months
Beathan Vale: I want the proponents of the bill to meet with each other and the SC to see if we can merge the bills into a mutually agreeable compromise
....
Beathan Vale: if any secton can't be mutually agreed — it can be taken out for separate consideration as an amendement
....
Beathan Vale: I also agree to work with the proponents of these bills, as I have proposed amendements
....
Beathan Vale: much of the voting controversy has hinged on the possibility that we acted with undue haste and less than full deliberation last time — let's not do so again
Brian Livingston: Agreed
ThePrincess? Parisi: agreed beathan
....
Jon Seattle: agreed
MT Lundquist: as i said i'm happy to do that
Patroklus Murakami: i call the discussion to an end
Patroklus Murakami: let's vote on beathan's motion
ThePrincess? Parisi: fair enough
Patroklus Murakami: pls scroll back if it got lost. then i need to hear 'aye' or 'nay' from the RA members
Beathan Vale: aye
MT Lundquist: aye
Sonja Strom: aye
ThePrincess? Parisi: aye
Patroklus Murakami: aye
Brian Livingston: aye
Patroklus Murakami: thank you everyone :)
Leon Ash votes aye
Jon Seattle: Thank you

Honi soit qui mal y pense
Beathan
Forum Wizard
Forum Wizard
Posts: 1364
Joined: Sun Oct 29, 2006 3:42 pm

Re: No Peeking/Voting Security

Post by Beathan »

Pat --

Yes, that exchange was how I remembered it. My concern is that, not having a formal procedure for a "working session", I don't want to see a proposal hung up in limbo because some informal meeting has not happened.

Beathan

Let's keep things simple enough to be fair, substantive enough to be effective, and insightful enough to be good.
Jon Seattle
I need a hobby
I need a hobby
Posts: 648
Joined: Mon May 29, 2006 6:18 am

Re: No Peeking/Voting Security

Post by Jon Seattle »

I am willing in the next few days or beyond. Given how the SC schedules meetings, I suspect there would have to be a long lead time if they are to attend.

Best,

Jonathan

Jon Seattle
I need a hobby
I need a hobby
Posts: 648
Joined: Mon May 29, 2006 6:18 am

Re: No Peeking/Voting Security

Post by Jon Seattle »

Who is organizing this meeting? I has assumed since Beathan had proposed this that he would. I am glad to write to the various parties if no one else will.

Beathan
Forum Wizard
Forum Wizard
Posts: 1364
Joined: Sun Oct 29, 2006 3:42 pm

Re: No Peeking/Voting Security

Post by Beathan »

Jon --

Well -- I haven't organized the meeting. I have not seen Claude around.

Beathan

Let's keep things simple enough to be fair, substantive enough to be effective, and insightful enough to be good.
User avatar
Patroklus Murakami
Forum Wizard
Forum Wizard
Posts: 1929
Joined: Fri Jun 02, 2006 5:54 pm

Re: No Peeking/Voting Security

Post by Patroklus Murakami »

I think that the best way forward on this would be to handle it in the same way I've suggested we look at RA procedures i.e. by establishing a committee (Beathan, Jon, ThePrincess and others) to look at the issue and come back to the RA with a proposal. It would be the best way of establishing a consensus that the majority of the RA could support. As has been pointed out, there's no great rush here. If we get this resolved by the end of March we have ample time to enact any changes before the next set of elections. It would also allow us to focus on other matters in the RA sessions themselves. What do others think?

Honi soit qui mal y pense
cleopatraxigalia
Forum Wizard
Forum Wizard
Posts: 1340
Joined: Sat Nov 17, 2007 2:42 pm
Contact:

Re: No Peeking/Voting Security

Post by cleopatraxigalia »

That works for me.

Cleo
Post Reply

Return to “Legislative Discussion”