Sede

Secure voting principle, picture show ...

The following is to give you a good understanding of the basic principles used, please humor yourself and play the game at home, it actually works and might be fun. I hope that at the end you'll say "but I knew that!".

What you need is 1 deck of playing cards, 2 plates (optional) and a few voters, perhaps with pen and paper ready.

Choose an issue to vote on, for instance whether you like tea better then coffee or not, something with 2 options. Give both options a different color, for instance if you like tea better, that's red (hearts and diamonds), and if not, that's black (clubs and spades).

Here it goes ...!

Get some cards, remove wildcards. get_cards

Divide into a red stack (hearts and diamonds) and black stack (clubs and spades) ... divide_cards

Shuffle the stacks independently ... shuffle_cards

Five voters here... cards_shuffled

Give everyone a card of the first stack. give_first_card

Give everyone a card of the second stack. give_second_card

Look into your own cards, but let nobody see them. check_your_cards

Remember your cards. From your head, or write them down... you_remember

Get a plate which will serve as the place where voters will put the card of their choice. voting_basket

Now everyone puts their color of choice in the voting basket. If you like tea better, put in the hearts or diamonds you received. If you like coffee better, put in the clubs or spades you received. voting

Now we get a waste-basket, since we're all left with one card we don't need anymore. voting_round1_done

We put our red card in the waste basket. removing_leftover

Now shuffle the stacks again. shuffle_votes

Display the votes: display_votes

Count the votes, add them up yourself: display_all_votes

That seems to be 4 black votes, and 1 red vote. Coffee wins 4:1.

Display leftovers for completeness. display_leftovers

Check your vote. check_your_vote

Check the number of votes against the number of voters. count_votes

That's it. ready

Manipulations:

Someone's vote is missing: missing_vote

Someone seems to have added a lot of voters, altering the result: added_voters

Someone's vote has been manipulated: manipulated_vote

Remarks

So, how does this help ?

*) It helps exposing manipulations of individual votes. The attacked voter can see it, knows it, can complain about it and demand a revote; or depending on the scheme used, can prove his/her vote was altered using the optional per vote password, and get it changed (optional, to be decided on a per voter basis in the current sede implementation).

*) It helps exposing adding false votes. Depending on the scheme used: either there are too many voters though marginal additions might go unnoticed, or there must be actually false names in the "voted voters" list, but that only works if voters register with some identification to be published in a separate list, which is optional.

*) It helps exposing not counted votes. The attacked voter can see it.

*) It helps exposing a manipulative add-up of the votes, even if all votes are correctly published. All voters and non-voters can see this, and add up themselves, even using the same software (sede), downloaded for free.

Compared to traditional voting, the problems have moved from the area of results manipulation, to protecting the anonimity of the votes. Traditional voting has basically no protection on results (recent computer voting takes this to new extremes), but is very strong on anonymity. However, Sede is not a public-vote system at all, like standing on the city square and raising your hands. It is perfectly possible to register voters in an anonymous way, to even prohibit the "card shuffler" (vote administration) from knowing who voted what.

Just organize a traditional paper-ballot vote, but instead of voting for a person or on an issue, the voters give in a voter registration form containing the way they wish to be contacted and optional encryption keys for such communications (any password+file encryption tools can be used). If for instance a voter creates a secret e-mail address, and gives a password for encryption, then the vote administration doesn't know who this voter is while communicating with him/her, and the vote will get over the I'net relatively safely. The program does not have its own encryption tools, but interfaces with other encryption tools (as long as they can be used from the command line). If that voter has a complaint or problem, he/she can contact the vote-administration through paper-mail, identifying him/herself using a registration password. This might also be useful if a communication channel is cracked. Snailmail might be send towards the vote administration containing a registration password which is never in any form accesable from the I'net, and a new registration form.

SEDE provides all the above functionality, in a feature-rich, open source and gratis way, following the rules (I hope) for GNU/Unix programming.

Obviously SEDE won't give you 2 playing cards to choose from. SEDE works with data in the form of text (whether voters use a button front end or not, Sede processes data in the form of human readable text).

Here the same analogy but closer to the operation of the program:

"Shuffle cards". Create random vote codes and make blank ballots: get_random_codes

Write your vote in the vote area, you can in fact vote anything you want: vote

... and place your personal remarks that belong to your vote: comment

Results:

Sede reality

The above pictures were an analogy, here is how it really works.

This is an example of a ballot:


                 Tea-coffee question:

A) I like tea better then coffee.
B) I like coffee better then tea.

Vote Tea-coffee: ... 
votercode #GmhsQrR1hrVf#
Comments: ... 
vote-end

The role of the "playing card" as an identification for any particular vote has been taken over by a "vote code" or "vote key", in this case: "GmhsQrR1hrVf". It is just your identification tag for your vote, and can be configured to be any length. Like that you had been given the ace of clubs C1, and the 2 of hearts H2, which might make out a "vote code" of "C1H2" in numbers/letters. The above voter received "the playing card" "GmhsQrR1hrVf", which is not an encryption key of any kind, just a means to identify and find your vote without having to use your name or things like that.

Giving a vote:


                 Tea-coffee question:

A) I like tea better then coffee.
B) I like coffee better then tea.

Vote Tea-coffee: ... A
votercode #GmhsQrR1hrVf#
Comments: ... 
vote-end

The role of the "vote red card" or "vote black card" has been taken on by the space between "Vote Tea-coffee:" and "votercode #", the dots. On those dots, you can place your vote. Using dots is just an example, you can configure these elements to your needs, using any language and/or characters you like. The vote can also be anything the voter likes, hence the voter has total freedom to vote whatever he/she wishes to vote, even if the vote administration has not given the option the voter wants to vote.

Example:

Giving a vote:


                 What is your favorite drink:

A) Tea
B) Coffee
C) Sweet drinks
D) Milk
E) Juice

Vote Tea-coffee: ...Water
votercode #GmhsQrR1hrVf#
Comments: ... Why can't I choose water ?!
vote-end

Well, you can ! And it will be counted too (see below).

Giving a comment:


                 Tea-coffee question:

A) I like tea better then coffee.
B) I like coffee better then tea.

Vote Tea-coffee: ... A
votercode #GmhsQrR1hrVf#
Comments: ..but coffee is nice too. 
vote-end

The results:


Vote Tea-coffee: A...votercode #GmhsQrR1hrVf#Comments: ...can't stand coffee  endofvote
Vote Tea-coffee: ...Avotercode #Q08QP1pgSrUb#Comments: ... but coffee is nice too endofvote
Vote Tea-coffee: ..B.votercode #8e6ipxLuCQw5#Comments: ...  endofvote
Vote Tea-coffee: ..Bvotercode #dAJgAkde131A#Comments: ... without coffee I'm dead endofvote
Vote Tea-coffee: .B..votercode #yiXkjRu6kmzU#Comments: ... COFFEEEE! endofvote
----- +
 votes: 5

The add-up:

 3      B
 2      A
 ----- +
 5

At this point, there is only a tekst interface for voting. But even if a graphical front-end would be created, it would still operate behind the scenes in tekst mode, obviously. If you like to donate a working graphical interface, you are more then welcome.

Getting voters registered

This is a very important matter, and will decide what kind of vote/referendum you are running. In the above examples, the issue was ignored, but there are basically 2 ways to do this, anonymous and non-anonymous. The process of how to register them is out of range for this program (not its "area of expertise"). Sede only cares that voters are fed to it, although it even runs without registered voters so it is probably the Sede user that would want to register voters some way or the other.

Anonymous voter registration (example):

Anonymous voter registration, using a traditional paper vote. Only routing information is needed, how to get the ballot to and from the voter. get_voters_anonymously

Get forms. get_anonymous_forms

The "phrases" you see in blue are examples of registration passwords. These registration forms are perhaps a little simplified, voters might also want to give encryption parameters, like what encryption program and encryption key, perhaps even their preferences in terms of what kind of questions they want to be contacted about (Sede features voter variable ballots).

Keep them safe, obviously. store_safe

Ballots can be transmitted through these email adresses, encrypted or in plain tekst (very configurable). routing_channels

Note that for the traditional paper vote - to harvest the ballot routing channels -, a name may be asked to register for that initiating process. This does not affect the anonymity later using Sede, because of the scrambling process going on during the paper vote (traditional paper voting is very strong on anonymity, and very weak on results validity).

The other method gives the vote administration the insight in who owns which routing channel. That is a drawback for voters in terms of anonymity, however in return a separate alphabetic list of voting voters can be created (optional). That way, voters can check that there are no false voters voting, without being able to tie any voter to any particular vote (unless there is only one vote). They can also see if voters who said they had voted, are in fact absent from the vote. Voting voters can even be contacted, and asked whether they agree with the presented results. With such a list in the end results, it becomes much harder to manipulate the outcome, but anonymity pays that price (the vote administration can know very easily who voted what).

Keep them safe: safe

Results with voting voters list voting_voters_too

Free Vote

With free voting, you have much more power then just the ability to vote A or B if those are the only given options, you can vote C if you want, you can vote sunny weather if you want to. That may sound strange, but is very usefull and gives you a lot of power as a voter. Any text works (if it is not too long, configurable parameters on size can be set), so you can vote "cola" or "milk", or "water", or "orange juice" if you like. This takes an important power away from the vote administration: the power to precook answers, and to exclude options. You decide your vote, and it will be tallied with all exactly similar votes. That does not mean the vote administration can not or should not give options to choose from, it merely means voters can step outside of these bounds.

Still, SEDE can tally different votes together when asked to. That way, votes like "B" and "coffee" can be tallied together, for instance. Both the raw tally of unique votes, and the compacted tally of different votes are published for inspection. So, a vote administration may decide on options A/B/C and D, and make a nice looking result out of it, such that votes like "tree" are excluded, or fall in a category "error" or something like that. Even then, a unique tally will still be made, tallying all votes "tree". When the vote administration decides to remove that result page, then there are still the raw votes, with use of this package it should be easy to generate results yourself (as a voter).

Free Comment

And you have the power to place a comment with your vote, which is absent in the card game (as it is in all other voting techniques I know anyway). You can use that space for anything you like, though the entire "vote area" may be configured to be of a fixed total length (which should be communicated to voters, so they know their limits in terms of comment space). This is important for you as a voter, because now the vote administration can not ignore certain issues, because voters can raise them in their comments. Voters can communicate with other voters directly. It also gives voters the chance to put into their comment a short identifier agreed upon by more voters, and thus have a vote within a vote, perhaps a form of protest. This would be a simple "parasitic vote", but it is also possible to organize a complete Sede vote from within the comment space, which would be added by voters themselves, using the published votes as raw material. The comment space is also a security feature, making votes different in ways that can not be predicted, hampering attempts to give predictable voters the same vote-code. Other then that, the comment space can be used to say why you voted what you voted, or whatever, it is completely up to the voter (though configurable for a maximum length, for everybody the same maximum length).

The "vote area" (Vote Tea...) above is configurable in terms of the position of certain fields, and the content that identifies them. You just define grep -E patterns to match your choice, so any language works (within the limits of the characters used). The vote-code or vote-key has an unlimited variable length, and can be generated using /dev/random or /dev/urandom, or be read from "flag files" (every ballot has an accompanying human readable flags file). Passwords are a second set of "vote codes" generated for each vote, but they are not published. Passwords (vote passwords) are optional, they don't need to be send to voters at all. Ballots can be encrypted. Ballots can be programmed: files can be included; the ballot is created using a configurable amount of passes over it while expanding variables, including the possibility for a general pre-expansion cycle; if-then programming structure over voter registration data is present; also shell-command expansion and a whole lot more. Some 20 different variables, ranging from environment-variables expansion to randomizing the options for a vote per ballot; all in long and short versions. There are too many features to just list them here, I can't even remember them all. There are some 60 commands (some of which are backends to others). Ballots can be programmed in attachments, there's an unlimited number of polls per ballot, unlimited number of voters, unlimited amount of voter registration space per voter. Results can be generated to include small files only listing the votes of one voter, accessable through his/her vote-code, in which case upper-lower-case matches between vote-codes can be excluded from being present etc. Separate voted-voter lists can be published too (optional). You can store and retrieve polls from archives. See the package, this page is not meant to be exhaustive, merely to give a basic outline of the principles used.

The interface for voters is text based, currently (encrypted) e-mail is best supported. The electronic ballots might also be communicated through SMS (if you have the technology to send files back and forth over such a network). Because ballots can be generated differently for voters, ballots for SMS can look completely different from for instance e-mail ballots, yet still all can be created in one go from the same sources (your programmed ballot template).

Not unimportant: you can debug ballots in a step-wise manner (in 4 different modes), inspecting exactly what is happening when ballots are being generated. Errors messages during ballot generation include the exact location where it occured, and you can then jump exactly to (or near) the problem area and watch what happens in real time. This type of user support also exists for encrypting attachments. That doesn't necessarily make writing complex ballots easy, but at least you can debug effectively.

A potential downside is, that it is perhaps not easy to use its full potential (?), but there are a lot of help commands, and if you start from one of the template-polls it can also be kept very simple. On the upside, only the vote administration has to understand some parts of the program. You can run a basic vote with very limited knowledge. I cannot estimate very well how difficult the program is for others, but there is a lot of documentation, off and online.

Sede consists of access to many different (modular) commands through a common shell-wrapper interface: sede COMMAND. But sede can also run in interactive mode and behave more or less like a shell, in which case the $PATH shell commands are still available. Sede commands can be added to the shell as if they were normal programs through a command (. sede set.path), and sede commands can be piped to sede (echo COMMANDS | sede), and they can be read from a script by sede. Did I forget anything ? ;-). Sede uses a ~/.sederc file for user configuration, with comments explaining each option. SEDE is mostly written in the Zshell (going to be rewritten in C, Sep 2006), but important aspects are written in plain C. SEDE acceses shell tools through configurable variables (/etc/sede), so even if your system has a tool that isn't compatible (things like sed, grep, ed, ls etc), you may point these variables to the working implementation of that tool. SEDE code uses long variable names, long argument names etc, to try to make the code maintainable and easy to update. I've tried to write in an as clear as possible way, thinking about others when writing it. SEDE tries to make it easy to communicate with other tools, and keeps its records in comma delimited lists "in house". SEDE does not use any weird or unusual programs (unless you'd call mutt weird, though you can program your own mail script using hooks available).

Sede is exclusively published under the GNU GPL License.