TL;DR: I'm proposing that the way we handle DPL elections today is a
good start for what secret means.



Holger asked what I meant by secret.
He asked that in a thread discussing stuff related to the project
secretary, and I didn't think an answer belonged there.
So I'm starting a separate thread.

As a reminder, this all comes out of GR 2021_002, where we had a fairly controversial statement with many ballot options.
Several people raised the concern that they felt uncomfortable voting if
their ballot choices were going to be up on the Internet for everyone to
see.

People were much more concerned about that than worried that the
secretary might disclose their vote.

I think the way we handle DPL elections is a good compromise between
secrecy and accountability. (At least assuming that we do not retain
the actual votes long term.)


* The ballots are public, but the mapping from voters to ballot is not.

* Voters get a hash sufficient to prove that their ballot is included in
the totals.

* The list of voters is public.

Anyone can verify that the ballots correspond to the totals.
Anyone can verify that their ballot was included in the totals.

An attacker can mount a number of attacks on this system

- They can include an extra vote. They need to add someone who would be
a valid voter. They run the risk that person notices they were
included even though they did not vote.

- They can change a vote. They run the risk that voter will attempt to
verify their vote and discover it is counted incorrectly.

Assuming the secretary is well trusted, I think those attacks are
acceptable residual risk from a security standpoint.

If it were up to me, that's where I'd leave things. I might double
check that we had a data retention policy and that the way we present
hashes to people a voter can verify the hash includes their voter
identity.
But for my level of paranoia, I think the way we handle DPL elections is
fairly good.

Pierre-Elliott, who is another one of the drivers for the secret ballot
work was interested in exploring other options, involving better
cryptographic proof.
The plan was to go put together a DEP on anonymous secret voting.

I don't want to wait for that DEP, and I don't know how the discussions
will conclude.

I also don't think those details belong in the constitution.

So, effectively, the proposal:

1) Removes the claim that what people vote for becomes public after the election

2) Leaves the specific voting mechanism up to the secretary (removing
the strict requirement it happen via email)

3) Provides a way for the project to override the secretary if theiy
disagree with the voting mechanism

I proposed specific text for points 1-2 above back when this thread
started.
I proposed text for point 3 a couple weeks ago.

My plan is to go refine the specific proposals based on comments on the
list and publish things in the form of a diff to the constitution later
today.

If this proposal passes, Pierre-Elliott and others interested in more
advanced secret voting schemes can work on that. If they convince the secretary, we can use those proposals. Kurt in particular has always
saught input from the project, and I think would be good at judging
consensus in a situation like that. I'd imagine any secretary who
replaces Kurt would seek consensus on a big policy like that. And if
somehow the project disagrees, we'd have recourse.

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCYgk2yQAKCRAsbEw8qDeG dFxGAQCeMVSaQ+AU9WWBAK5NrB07BEcGtrgZuLOSsEG92duklwD9GBLv01o5n7ie 1SQCoCl2gyCDHwUkF4REPQSxq24LAgY=
=YIVU
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Feb 13, 2022 at 09:50:17AM -0700, Sam Hartman wrote:

Holger asked what I meant by secret.
So I'm starting a separate thread.

I'm very fine with this, thank you.

He asked that in a thread discussing stuff related to the project
secretary, and I didn't think an answer belonged there.

However that thread has 'secret ballots' in it's subject, so
I still find it very relevant to the topic discussed there, so
I'm slightly put off as being described asking offtopic stuff.

(will reply to the rest of your mail later.)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

This is the year of gpg on the desktop! (Gunnar Wolf)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmIJReUACgkQCRq4Vgaa qhwmJw/9ElYsVXf2o6lTrvljT44f1CJimChA8RXhlyisUt7PWPgrs+VLnBTcLfn3 7w7wa+Wa2tUi9hmuc6bbUcOrfY12444HHwu2+Bry6GU5UWTa7igmj1gxov0i1O8Z vsNxcZ6jyXYvzaHOjRRwbGN0SRgKJ9fO+vq7lIdIC7oFvfLoIErS0XH38o1yt7kM hDA5tVjBaH9yWlpehiD/Ah8DuvyEC+EHQXW1P5hcz6v0kePaoEkiWBmvhPaFolYQ sup79WO/FcZDw3i5d7T904Dd1GkcnS2P4/qawRspGi1ENhIhKiFvHD8zm97DVsOw Ca7JQYO0ygQM0abKvWggcSZ4A5E4TjCG4oRjbcvVAujqNxbdqyggRZWob/JgmvrC ovZXzPf6x3gviMf2L4r/FQc3YVdzkkMnuOG1DfLwFHgDZ5qPfNH8YzuvkV4ocirJ 70G65ZHwTsPkQm3XiQcQMOAJYm1736cLeVtUkoGeKXUab5U4CLaZNMr08PPqybsM ZhXPSV24KDf0c5qhrJ45VTaDYKivTht/gTRQS4OfNdFHA8g2vlYXoROty1a6+zrV aDXhk74bhLqhrd9QfE5hx75bUZmxV8c28frYYAGNi/oX0lWRZFzPiQVfk+b

On Sun, Feb 13, 2022 at 05:54:45PM +0000, Holger Levsen wrote:

However that thread has 'secret ballots' in it's subject, so
I still find it very relevant to the topic discussed there, so
I'm slightly put off as being described asking offtopic stuff.

actually, not only in the subject, that very mail starts with
"Now that we have concluded deciding our GR procedure, I'd like to come
back to the question of secret ballots that we decided to defer from the
last round" so I'm *puzzled*, to say the least, being characterized
as derailing the thread.

And furthermore & sadly this confirms my feeling that some want to push
'secret ballots' into Debian...


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

I’ve read “Non-Functional Testicles” as retronym for NFT last week and now
it can’t be unseen.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmIJRsIACgkQCRq4Vgaa qhyBWQ/+McZeRg+2XL6WhvlPGYZBiyKVspaV/s38V9r+0dAJh8KOKbacyLvHQ+gq 3rtY6Qr3PTDu3BuyD5Wi29fjNaXksw3UBp3aG6OEf1wn6OfglMbdTOWDGSBclUuY u9c+2P2O48oE5CRbzsgjQ4NzKJDSD7ISVTq2pif+4LGRoVdwQczJ/TA6+v94QmyK 2iZyVm6dYV6yNJG8hUOLzHm6cs+LlI+YLQjQxb5wcTcDu9leVhfTDoqy6zgaTaEm /XtGu1dk/HyOy//9gdIt4AFbpzDQAyTWFwNrZRmitN3ifysmgZrt6nWxQ5rFP3Oi kcINRdw2Gs18jMd6n1TNimA4WDeytFVJu23TqnQPSIcpPJyyivtWqtLvYIgDdr+0 Gapx2g/JcsCcOuX88FZsV4PAwhpre5YlJJ5AuefCKkmwdCtTcAKmVM3TmeYfw3dl xgO8sJsoVI4p6YlILeiFsTAAjfJTYIr3miQSn++TT/7iGiM0GuICqurfOfrOQLep 9WPMM4przX8gYiSZFTkOzxsd6YEKBvzsIKM5ZcOAR4QMyKfbtHetmH3qz91MCB24
J55cuUlj+

"Holger" == Holger Levsen <holger@layer-acht.org> writes:

>> He asked that in a thread discussing stuff related to the project
>> secretary, and I didn't think an answer belonged there.

Holger> However that thread has 'secret ballots' in it's subject, so
Holger> I still find it very relevant to the topic discussed there,

Clearly, we would not organize the discussion the same way.
It sounds like you heard me to say that I thought your message was
off-topic in that thread.
I'd ask you to hear me differently.
I thought my answer would have been off-topic, and as the one answering,
I got to choose where to put it.

I focused on my needs and desires in the message I wrote today, and I
regret that you read commentary about judgment of your actions that was
not present in what I wrote.
Yes, I would have been happier if you had gone back and replied to the
earlier secret ballot thread rather than bringing up this issue in the
thread I started specific to the question about the secretary.
But I didn't think you did anything wrong. I thought you viewed things differently than I id.
And as the one answering, I tried to find a solution that we'd both be comfortable with.

--Sam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Holger Levsen <holger@layer-acht.org> writes:

And furthermore & sadly this confirms my feeling that some want to push 'secret ballots' into Debian...

I'm not sure that I understand what you mean by this, I think. We're
openly having a preliminary discussion of a GR to add secret ballots to
Debian, so yes, clearly some people want to have secret ballots in Debian. That's the point of these discussions. I think this is stating
dissatisfaction with how Sam phrased his reply, but regardless, the goal
is still to have an open discussion of all aspects of this.

I think you're opposed to secret ballots in Debian, but I'm not sure why,
or how you view the pluses and minuses. I think you mentioned previously
that you're worried that it would create an appearance of a cabal, but I'm
not sure where that fear comes from. Is it just not knowing who voted
which way, or is it verification that secret ballots actually came from
Debian Developers and only one per DD, or...? Maybe it would be useful
for you to explain more about why you object, if you do.

For what it's worth, the reason why secret ballots are attractive to me is
via a "first do no harm" principle. It's not unreasonable to fear
retaliation for votes with political ramifications on today's Internet and
in today's society, it's unlikely that Debian will be able to entirely
avoid votes with political ramifications as much as we'd all love to steer
past those shoals via consensus alone, and it feels very wrong to me that anyone should have to fear voting honestly. My default, when someone says
that something is a risk for them, is to believe them and try to help
reduce that risk.

That said, I am perhaps a bit less sanguine than Sam is about the efficacy
of the secret ballot verification process for DPL elections. (If I had to guess how many voters verified their ballots, I would say around 5%,
possibly less. [*]) I'm a bit concerned that any scheme that doesn't
build the cryptographic verification into the process and instead relies
on people going out of their way to do verification is not going to be
widely verified, and therefore it does create new risk if some future
iteration of Debian has a less trustworthy secretary than we do today. To
be clear, this is not a new risk; we're already living with this risk for
DPL elections and maybe this should be within my risk tolerance. But it's
not as clearly within my risk tolerance as it is within Sam's.

[*] I do want to acknowledge, however, that having the *capability* for
verification even if almost no one uses it routinely does provide real
protection against shenanigans, since it means should anyone suspect
shenanigans a bunch of people can go back and verify their votes even
if they didn't initially, provided they retained the necessary
information.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Russ" == Russ Allbery <rra@debian.org> writes:

Russ> [*] I do want to acknowledge, however, that having the
Russ> *capability* for verification even if almost no one uses it
Russ> routinely does provide real protection against shenanigans,
Russ> since it means should anyone suspect shenanigans a bunch of
Russ> people can go back and verify their votes even if they didn't
Russ> initially, provided they retained the necessary information.

Russ> -- Russ Allbery (rra@debian.org)
Russ> <https://www.eyrie.org/~eagle/>

That's why I'm comfortable with the DPL approach.
I doubt people do verifications regularly, but I bet there would be a
lot more verifications happening if the results were surprising or
especially if someone claimed their verification had failed.

--Sam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Feb 13, 2022 at 09:50:17AM -0700, Sam Hartman wrote:

TL;DR: I'm proposing that the way we handle DPL elections today is a
good start for what secret means.

Alas it does not work since it does not provide plausible deniability.
Let me explain. For DD election, devotee publish a voters list and
a tally sheet with hashes of secret code.

DD could be black-mailed to reveal their secret code, hence revealing
their vote. Even with them refusing to do so, they are not safe:
Let say there are two options A and B.
If all the DD who votes A>B reveal the secret code returned by devotee,
anybody can check they indeed voted for A, and by doing a substraction
conclude that all the other voted for B, thus breaking the anonimity of
the vote even for those that kept their vote secret.

So it does not prevent DD that voted B>A to be harassed later for their
choice.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Bill" == Bill Allombert <ballombe@debian.org> writes:

You are absolutely right.
And in fact Don proposes to embody a requirement in the constitution
that would prevent plausible deniability in favor of allowing voters to
confirm their votes were counted.

And yet, we've been living with this trade off for DPL elections for the
entire lifetime of the project.

So, that's absolutely a weakness.


Would you prefer that we not mandate that voters be able to verify their
votes were counted so that we could have plausibel deniability?

Are there aspects of DPL elections that make this less of an issue for
DPL elections than other issues?

--Sam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi

On Thu, Feb 17, 2022 at 2:45 PM Bill Allombert <ballombe@debian.org> wrote:

If all the DD who votes A>B reveal the secret code returned by devotee, anybody can check they indeed voted for A, and by doing a substraction conclude that all the other voted for B, thus breaking the anonimity of
the vote even for those that kept their vote secret.

Couldn't any voter for B claim that they did not vote, as long as the
turnout was less than one hundred Percent?

Kind regards
Felix Lechner

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Sam,

* Sam Hartman <hartmans@debian.org> [2022-02-17 16:14]:

Would you prefer that we not mandate that voters be able to verify their >votes were counted so that we could have plausibel deniability?

Are there aspects of DPL elections that make this less of an issue for
DPL elections than other issues?

The way I see it, we have two goals to define:

1. Level of secrecy. Is it enough if Non-DDs cannot look up my
vote on the Internet, or should my vote remain so secret that I
can't even prove to someone else that I voted at all?

2. Ease of verification. Should it be possible to audit the results
with some basic counting abilities (and maybe access to the
Wikipedia page on the Schulze method), or is it acceptable if the
verification is so involved that it cannot be done without software
assistance and/or extensive expertise?


Cheers
Timo


--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmIO4m4ACgkQ+C8H+466 LVkSNAv8C5F7ESyXeGxggMvY1Hx+Cdvf/KduLWBmU/cJy645l1a1KAyv8HQ+ErRP SET99f0jmU5NRsh7EZITnSpziym+ywpqmBE0cjvdL+IzK+QVkB2SpuVKwio605de 9xa1jJSCTslMNRlbqh1rbrKaQBGaFzfENY7VN9dR/lSdRyD7oBSWh0uAw59yl2DL Ub/uVr++djpEa/kaeXCS1++as0y7mGo/RaFil4As/zmBpVwCluBQQQIPBOJ9EMrs 8/NIa+YGi/nJ8Fb6SURXS4x9QDMW2B+71Q9er71HgRKJMDXhBWUlf4gRNXrFC4fQ ngu1V9Rqahf4YKIzSpg0eKpUHsct7b75L0WtIk14irY

Felix Lechner <felix.lechner@lease-up.com> writes:

On Thu, Feb 17, 2022 at 2:45 PM Bill Allombert <ballombe@debian.org> wrote:

If all the DD who votes A>B reveal the secret code returned by devotee,
anybody can check they indeed voted for A, and by doing a substraction
conclude that all the other voted for B, thus breaking the anonimity of
the vote even for those that kept their vote secret.

Couldn't any voter for B claim that they did not vote, as long as the
turnout was less than one hundred Percent?

In the current DPL election anonymity approach, the list of voters is
still published, just detached from their votes. See, for example:

https://www.debian.org/vote/2021/vote_001_voters.txt

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Feb 17, 2022 at 04:14:34PM -0700, Sam Hartman wrote:

"Bill" == Bill Allombert <ballombe@debian.org> writes:

You are absolutely right.
And in fact Don proposes to embody a requirement in the constitution
that would prevent plausible deniability in favor of allowing voters to confirm their votes were counted.

And yet, we've been living with this trade off for DPL elections for the entire lifetime of the project.

So, that's absolutely a weakness.

Would you prefer that we not mandate that voters be able to verify their votes were counted so that we could have plausibel deniability?

For the record, I am not actually in favor of holding secret votes, even thought I fully agree with the developpers who felt that voting might
open them to abuse, because the issues raised by GR 2021_002 are much
more serious than the secret vote issue, viz, that the Debian project is
not the collection of opinions of its members since the members only
agreed to fulfill the social contract when acting on behalf of Debian
and not in general, and that their opinions outside of this is a private
matter that must not be probbed, and that even the agregate result of
the vote is already leaking information that Debian project has no
purpose to gather and publish.

I feel that holding secret vote for all GRs would be detrimental without adressing the real issue.

Are there aspects of DPL elections that make this less of an issue for
DPL elections than other issues?

Yes. The DPL choice is always going to be subjective and not implying
any particular opinion. the vote is kept secret as a courtesy to the candidates. This is different for GR.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)