With our switch to anonymous voting, there are several issues that needs to be addressed. I'd try to list down solutions to address some of the possible problems. I would like to use this forum to get people to scrutinize it for possible loophole and make suggestions.
First, the flaws of an anonymous online voting system:
* No way to verify if vote and database have been tampered with.
* Simply recording vote and have another database record number of voters provides no security. A cracker or corrupt admin can simply insert an illegitimate vote and record each database to make sure they match.
* <add other issues and concerns>
The proposed solutions. Some of these have already been tested before and won't take much to implement:
* Before start of the vote, the source code to be used is released on public forum. (Done every time voting is held even if no changes to codes have been made).
* Each voter is provided a confirmation page with a unique random confirmation code after voting. This is recorded in a database table that holds the vote results. Voters are encouraged to record the confirmation code. A long hash certificate key is also generated but not displayed. The long hex hash key would be used to verify that it's a valid certificate in the event of a challenge (see verification process later). Hash key is stored on the voting results database and algorithm takes into account the confirmation code and the vote. If an admin simply change the vote, the hash key becomes invalid.
* The 2nd table in the database record the person who voted. No time and date of voting for anonymity.
* Immediately after voting period ends, the code used for the voting is released again to verify nothing has changed.
* List of voting with confirmation code for each is displayed for everyone to review. Everyone can verify that their confirmation code matches their vote.
* Another list simply list those who voted. I would suggest use of alias. So maybe forum name? The list does not have to be anonymous. It simply list those who voted and I don't see serious privacy concern about whether you voted or not. Those who did not vote simply abstained and there's nothing wrong with that. But publishing the list of those who voted goes a long way in preventing fraud. (see next bullet point).
* Both list have total counts and it is matched to see that the number of votes and voters matches. If voting is for group of people (e.g. President, Vice President, etc than simple one vote like yes or no)
then vote results counts is tallied by group/set and not simply count number of rows in the table. i.e. each set of votes by the same voter count as one.
* Someone trying to stuff the ballot would have to use a legitimate user. They have to figure out a user they know for sure won't check and verify their votes. Otherwise the 2nd table/list would show a user voting twice. Or a non-voter/abstainer would see their name as having voted when they know they did not vote. So we should strongly encourage everyone to verify their vote or ask their friend to check their names even if they did not vote. Hope my explanation on how this works is coherent, if not let me know and I'll try to expand.
* Now assuming someone comes up and say his/her vote was registered incorrectly. No way to verify if he/she is telling the truth or just trying to sabotage the voting process. Or maybe he/she changed his/her mind after the fact and wanted his/her vote changed. If the person challenge the result, then he/she have to provide the confirmation code. We can then retrieve the hash key from the database and verify that the vote is valid and have not been tampered with.
* What if they crack the key? It could be made to be sufficiently long that it can't be easily cracked in short period of time even for an admin who access the various keys stored in the database. The voting period can be shorten also and result released immediately with any challenge reported within a narrow window. The hash key algorithm needs to be neutral (i.e. not created by an individual). Maybe have computer decide what range of algorithm to use before vote begins and sticks with it for that round of voting. Only the computer knows the algorithm for the hash key and will be able to verify it.
I would like to move that we implement the confirmation code and list of voters alias immediately for the next vote. Even if it might not be totally fraud proof, it is still way better than simply keeping a vote results and number of votes. If it takes longer to implement the hash key then we'll just use it once it is ready. We can also make it an open source project (e.g. via github) and allow everyone in the world to use it.
If there is a glaring error in logic here I apologize. Just blame it on early morning post before coffee. Not that I drink coffee. :)
First, the flaws of an anonymous online voting system:
Even with the old way, there was no way of knowing should an admin wish to do that as who voted for whom was never disclosed.
The code idea is one one can easily lie with. You could alter it for 5 minutes, stuff ballots, return to original.
However, if the count of who voted and the number of votes dont match, the it is obvious something went wrong. Then again, why cant the admin just make multiple rows with bogus member numbers? The only way would be to hire a firm that makes sure no one has access to the server during that time except the PHP. Our finances cannot support that right now.
I like the confirmation code / hash idea, however, there is a problem. Say I were to vote with other members, how would one know that it was his vote I took? To make that happen, would it not undermine the anonymous voting process? If so, how about we simply make them hidden, but not anonymous votes? Then it would work fine. If the code is long enough, itd be harder for someone to guess someone else's code, so it could work to prevent some cases of fraud. If someone accidently posts his vote code, then its like accidently posting your address in a pictures exif when you hack a site ;) (yeah, it happened.)
Yeah I did not mean to imply previous system is better. I simply ignored it as no longer on the table.
True. But once the hash algorithm has been established by the computer, altering the code would alter the hash making it invalid. So as the voting starts, a key is established and perhaps publicize also? It might be getting past my knowledge of cryptography but I believe that's doable.
I guess the admin would have to vote using the voting system rather than simply adding it to database because then the hash key would fail. So it becomes very important that we use an encrypted password for our members where no admin can go in and check what the password is. A member can reset the password themselves. So another extra protection against admin changing the e-mail then resetting the password during the voting would be e-mail changes are restricted during the duration of the election.
Again, the only way you can vote as another member is if you know his/her password. If you manually insert the vote into the database or alter them, the hash key will be invalid. So perhaps I missed an extra step at the end and that is to run a verification of all votes to make sure the vote, confirmation code and hash key is valid. If a vote fails the verification, you know something happened.
Thanks for your comments. Would be nice to have someone who works with cryptography to poke holes in what I've said.